Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
arquivo.msi

Overview

General Information

Sample name:arquivo.msi
Analysis ID:1439020
MD5:8fcb7d96688206baa33e4093593351f9
SHA1:6be55cec7d9c516e3ece68c7b909ddae463a67a1
SHA256:3779b1bea09e5cfaa95b068abac91aba4585390c529eff5b163ab0b0c14f9f99
Tags:msi
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Drops executables to the windows directory (C:\Windows) and starts them
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 5012 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\arquivo.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 4016 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4976 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E96AADE6A8E7D98403310AC332619A98 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSIBA7.tmp (PID: 2192 cmdline: "C:\Windows\Installer\MSIBA7.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ MD5: 768B35409005592DE2333371C6253BC8)
      • cmd.exe (PID: 6464 cmdline: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSIBC7.tmp (PID: 2364 cmdline: "C:\Windows\Installer\MSIBC7.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ MD5: 768B35409005592DE2333371C6253BC8)
    • windows10.exe (PID: 7164 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 1428 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 7028 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 6292 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom. MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 5884 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 5972 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
        • windows10.exe (PID: 4136 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3318176983.0000000000971000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    00000008.00000002.3318963670.0000000000B91000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      00000009.00000002.3317317443.0000000000A11000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        0000000C.00000002.3317187917.00000000009B1000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          0000000B.00000002.3318022189.0000000000931000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            Click to see the 1 entries

            Sigma Signatures

            Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\", CommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Installer\MSIBA7.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\, ParentImage: C:\Windows\Installer\MSIBA7.tmp, ParentProcessId: 2192, ParentProcessName: MSIBA7.tmp, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\", ProcessId: 6464, ProcessName: cmd.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllVirustotal: Detection: 40%Perma Link
            Multi AV Scanner detection for submitted file
            Source: arquivo.msiVirustotal: Detection: 12%Perma Link
            Source: arquivo.msiReversingLabs: Detection: 18%
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSIBA7.tmp, 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmp, MSIBA7.tmp, 00000004.00000000.2081694672.00000000002BD000.00000002.00000001.01000000.00000003.sdmp, MSIBC7.tmp, 00000005.00000000.2082432642.000000000095D000.00000002.00000001.01000000.00000004.sdmp, MSIBC7.tmp, 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmp, arquivo.msi, MSIBC7.tmp.2.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: arquivo.msi, MSIA1D.tmp.2.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSIBA7.tmp, 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmp, MSIBA7.tmp, 00000004.00000000.2081694672.00000000002BD000.00000002.00000001.01000000.00000003.sdmp, MSIBC7.tmp, 00000005.00000000.2082432642.000000000095D000.00000002.00000001.01000000.00000004.sdmp, MSIBC7.tmp, 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmp, arquivo.msi, MSIBC7.tmp.2.dr
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002B05E9 FindFirstFileExW,4_2_002B05E9
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009505E9 FindFirstFileExW,5_2_009505E9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00B9D08C FindFirstFileW,8_2_00B9D08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00A1D08C FindFirstFileW,9_2_00A1D08C
            Source: windows10.exe, 0000000F.00000003.2476071768.000000007F8AE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
            Source: cont.cmd.2.drString found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.php
            Source: windows10.exe, 00000008.00000000.2092652640.0000000000497000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.audio-tool.net
            Source: windows10.exe, 0000000F.00000003.2476071768.000000007F8AE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_017516ED NtQueryInformationProcess,8_2_017516ED
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4004ac.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A3.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DD.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9FD.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1D.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA7C.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB77.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA7.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC7.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8A3.tmpJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_0027D0604_2_0027D060
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002A60784_2_002A6078
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002AB3364_2_002AB336
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002B46094_2_002B4609
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002997304_2_00299730
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_0029F7004_2_0029F700
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002A38A04_2_002A38A0
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002A18EF4_2_002A18EF
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002AE9194_2_002AE919
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_0029FA8E4_2_0029FA8E
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002ADB304_2_002ADB30
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_00280E904_2_00280E90
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002B2EC54_2_002B2EC5
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009460785_2_00946078
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_0091D0605_2_0091D060
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_0094B3365_2_0094B336
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009546095_2_00954609
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_0093F7005_2_0093F700
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009397305_2_00939730
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009438A05_2_009438A0
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009418EF5_2_009418EF
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_0094E9195_2_0094E919
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_0093FA8E5_2_0093FA8E
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_0094DB305_2_0094DB30
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_00920E905_2_00920E90
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_00952EC55_2_00952EC5
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BCFD408_2_00BCFD40
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00B9B5B88_2_00B9B5B8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00E467108_2_00E46710
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00D7A2CD8_2_00D7A2CD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00E574108_2_00E57410
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00DB46B08_2_00DB46B0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00D8D9E08_2_00D8D9E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00D72AA08_2_00D72AA0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00D75A348_2_00D75A34
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00E39F6C8_2_00E39F6C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00D79F4D8_2_00D79F4D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00E9E6C78_2_00E9E6C7
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00EA37288_2_00EA3728
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00E8BEE08_2_00E8BEE0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00E8BB758_2_00E8BB75
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_0133E7158_2_0133E715
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_014CE2048_2_014CE204
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_010E89358_2_010E8935
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_010E84FE8_2_010E84FE
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_01FBE8718_2_01FBE871
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_017519018_2_01751901
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_0171B90D8_2_0171B90D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_017173C18_2_017173C1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_01716BCB8_2_01716BCB
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_017158828_2_01715882
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_017585508_2_01758550
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00A4FD409_2_00A4FD40
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00A1B5B89_2_00A1B5B8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00CC67109_2_00CC6710
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00BFA2CD9_2_00BFA2CD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00CD74109_2_00CD7410
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00C346B09_2_00C346B0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00C0D9E09_2_00C0D9E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00BF2AA09_2_00BF2AA0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00BF5A349_2_00BF5A34
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00CB9F6C9_2_00CB9F6C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00BF9F4D9_2_00BF9F4D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00D1E6C79_2_00D1E6C7
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00D237289_2_00D23728
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00D0BEE09_2_00D0BEE0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00D0BB759_2_00D0BB75
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011DB9519_2_011DB951
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011D8FD19_2_011D8FD1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011DB9C39_2_011DB9C3
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_013098409_2_01309840
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011D04949_2_011D0494
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011DAADF9_2_011DAADF
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011BE7769_2_011BE776
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011AF4B29_2_011AF4B2
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011AE1649_2_011AE164
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011AEB889_2_011AEB88
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011B6C799_2_011B6C79
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_011B60C99_2_011B60C9
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Pictures\fotosdaviagem\windows10.exe 585741CA3C4041BB39D107F1F159D908650967FBCCAC3A491BCA389CC4BA0769
            Source: Joe Sandbox ViewDropped File: C:\Windows\Installer\MSI8A3.tmp 42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: String function: 002985D0 appears 39 times
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: String function: 00298246 appears 69 times
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: String function: 00298213 appears 100 times
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: String function: 00E9BF58 appears 36 times
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: String function: 00D1BF58 appears 36 times
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: String function: 00938213 appears 100 times
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: String function: 00938246 appears 69 times
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: String function: 009385D0 appears 39 times
            Source: StarBurn.dll.2.drStatic PE information: Number of sections : 13 > 10
            Source: arquivo.msiBinary or memory string: OriginalFilenameviewer.exeF vs arquivo.msi
            Source: arquivo.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs arquivo.msi
            Source: classification engineClassification label: mal64.evad.winMSI@25/33@0/0
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002761D0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,4_2_002761D0
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_00276EE0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,4_2_00276EE0
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_00271D70 LoadResource,LockResource,SizeofResource,4_2_00271D70
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLC2D.tmpJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI344.LOGJump to behavior
            Source: Yara matchFile source: 0000000A.00000002.3318176983.0000000000971000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3318963670.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3317317443.0000000000A11000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3317187917.00000000009B1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3318022189.0000000000931000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3317598511.0000000000921000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Windows\Installer\MSIBA7.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: arquivo.msiVirustotal: Detection: 12%
            Source: arquivo.msiReversingLabs: Detection: 18%
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\arquivo.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E96AADE6A8E7D98403310AC332619A98
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIBA7.tmp "C:\Windows\Installer\MSIBA7.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIBC7.tmp "C:\Windows\Installer\MSIBC7.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
            Source: C:\Windows\Installer\MSIBA7.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe"
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E96AADE6A8E7D98403310AC332619A98Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIBA7.tmp "C:\Windows\Installer\MSIBA7.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIBC7.tmp "C:\Windows\Installer\MSIBC7.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe"Jump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\"Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartupJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-tokenJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2Jump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: msi.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: slc.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSIBC7.tmpSection loaded: msi.dllJump to behavior
            Source: C:\Windows\Installer\MSIBC7.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Installer\MSIBC7.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Installer\MSIBC7.tmpSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\Installer\MSIBC7.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSIBC7.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: magnification.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: d3d9.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: slwga.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: schedcli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: security.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: olepro32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dxva2.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: idndl.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: arquivo.msiStatic file information: File size 30681088 > 1048576
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSIBA7.tmp, 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmp, MSIBA7.tmp, 00000004.00000000.2081694672.00000000002BD000.00000002.00000001.01000000.00000003.sdmp, MSIBC7.tmp, 00000005.00000000.2082432642.000000000095D000.00000002.00000001.01000000.00000004.sdmp, MSIBC7.tmp, 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmp, arquivo.msi, MSIBC7.tmp.2.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: arquivo.msi, MSIA1D.tmp.2.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSIBA7.tmp, 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmp, MSIBA7.tmp, 00000004.00000000.2081694672.00000000002BD000.00000002.00000001.01000000.00000003.sdmp, MSIBC7.tmp, 00000005.00000000.2082432642.000000000095D000.00000002.00000001.01000000.00000004.sdmp, MSIBC7.tmp, 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmp, arquivo.msi, MSIBC7.tmp.2.dr
            Source: initial sampleStatic PE information: section where entry point is pointing to: ._0T
            Source: StarBurn.dll.2.drStatic PE information: section name: .didata
            Source: StarBurn.dll.2.drStatic PE information: section name: .lbI
            Source: StarBurn.dll.2.drStatic PE information: section name: .4FN
            Source: StarBurn.dll.2.drStatic PE information: section name: ._0T
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002981F0 push ecx; ret 4_2_00298203
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009381F0 push ecx; ret 5_2_00938203
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C04084 push ecx; mov dword ptr [esp], edx8_2_00C04085
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFC078 push ecx; mov dword ptr [esp], ecx8_2_00BFC07C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BD2050 push ecx; mov dword ptr [esp], eax8_2_00BD2051
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BC11A0 push ecx; mov dword ptr [esp], eax8_2_00BC11A1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C011F8 push ecx; mov dword ptr [esp], ecx8_2_00C011FC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C00154 push ecx; mov dword ptr [esp], edx8_2_00C00155
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BB9120 push 00BB91B9h; ret 8_2_00BB91B1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C00164 push ecx; mov dword ptr [esp], edx8_2_00C00165
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BC1170 push ecx; mov dword ptr [esp], eax8_2_00BC1171
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFD160 push ecx; mov dword ptr [esp], ecx8_2_00BFD164
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFF144 push ecx; mov dword ptr [esp], ecx8_2_00BFF148
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C46138 push ecx; mov dword ptr [esp], edx8_2_00C4613A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFA2D8 push ecx; mov dword ptr [esp], ecx8_2_00BFA2DC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BF9250 push ecx; mov dword ptr [esp], edx8_2_00BF9251
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFE3AC push ecx; mov dword ptr [esp], ecx8_2_00BFE3B0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFD34C push ecx; mov dword ptr [esp], ecx8_2_00BFD350
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C034A4 push ecx; mov dword ptr [esp], edx8_2_00C034A5
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C024A8 push ecx; mov dword ptr [esp], edx8_2_00C024A9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFA4C4 push ecx; mov dword ptr [esp], ecx8_2_00BFA4C8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C395DC push ecx; mov dword ptr [esp], edx8_2_00C395E1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C05548 push ecx; mov dword ptr [esp], edx8_2_00C05549
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BD46AC push ecx; mov dword ptr [esp], eax8_2_00BD46AD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BAB6C8 push ecx; mov dword ptr [esp], eax8_2_00BAB6CA
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFF618 push ecx; mov dword ptr [esp], edx8_2_00BFF619
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFF608 push ecx; mov dword ptr [esp], edx8_2_00BFF609
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BFD7EC push ecx; mov dword ptr [esp], eax8_2_00BFD7EE
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00C00744 push ecx; mov dword ptr [esp], ecx8_2_00C00748
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BCE74C push 00BCE7A3h; ret 8_2_00BCE79B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00BAB8A0 push ecx; mov dword ptr [esp], eax8_2_00BAB8A2

            Persistence and Installation Behavior

            barindex
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSIBC7.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSIBA7.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA7C.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DD.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA7.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\Pictures\fotosdaviagem\windows10.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC7.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9FD.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1D.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A3.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA7C.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9DD.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA7.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC7.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9FD.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1D.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A3.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRARJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram DesktopJump to behavior
            Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run windowsJump to behavior
            Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run windowsJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 760005 value: E9 8B 2F C2 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 77382F90 value: E9 7A D0 3D 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 780005 value: E9 2B BA BC 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 7734BA30 value: E9 DA 45 43 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 3910008 value: E9 8B 8E A8 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 77398E90 value: E9 80 71 57 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 3930005 value: E9 8B 4D 00 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 76934D90 value: E9 7A B2 FF 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 3940005 value: E9 EB EB 00 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 7694EBF0 value: E9 1A 14 FF 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 3950005 value: E9 8B 8A FD 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 75928A90 value: E9 7A 75 02 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 3960005 value: E9 2B 02 FF 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7164 base: 75950230 value: E9 DA FD 00 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 37A0005 value: E9 8B 2F BE 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 77382F90 value: E9 7A D0 41 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 37C0005 value: E9 2B BA B8 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 7734BA30 value: E9 DA 45 47 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 37D0008 value: E9 8B 8E BC 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 77398E90 value: E9 80 71 43 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 37F0005 value: E9 8B 4D 14 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 76934D90 value: E9 7A B2 EB 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 3800005 value: E9 EB EB 14 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 7694EBF0 value: E9 1A 14 EB 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 3810005 value: E9 8B 8A 11 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 75928A90 value: E9 7A 75 EE 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 3820005 value: E9 2B 02 13 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 1428 base: 75950230 value: E9 DA FD EC 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 6E0005 value: E9 8B 2F CA 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 77382F90 value: E9 7A D0 35 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 700005 value: E9 2B BA C4 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 7734BA30 value: E9 DA 45 3B 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 710008 value: E9 8B 8E C8 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 77398E90 value: E9 80 71 37 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 740005 value: E9 8B 4D 1F 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 76934D90 value: E9 7A B2 E0 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 750005 value: E9 EB EB 1F 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 7694EBF0 value: E9 1A 14 E0 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 760005 value: E9 8B 8A 1C 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 75928A90 value: E9 7A 75 E3 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 3830005 value: E9 2B 02 12 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7028 base: 75950230 value: E9 DA FD ED 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 600005 value: E9 8B 2F D8 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 77382F90 value: E9 7A D0 27 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 620005 value: E9 2B BA D2 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 7734BA30 value: E9 DA 45 2D 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 630008 value: E9 8B 8E D6 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 77398E90 value: E9 80 71 29 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 37F0005 value: E9 8B 4D 14 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 76934D90 value: E9 7A B2 EB 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 3800005 value: E9 EB EB 14 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 7694EBF0 value: E9 1A 14 EB 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 3920005 value: E9 8B 8A 00 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 75928A90 value: E9 7A 75 FF 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 3930005 value: E9 2B 02 02 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6292 base: 75950230 value: E9 DA FD FD 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 6E0005 value: E9 8B 2F CA 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 77382F90 value: E9 7A D0 35 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 740005 value: E9 2B BA C0 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 7734BA30 value: E9 DA 45 3F 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 750008 value: E9 8B 8E C4 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 77398E90 value: E9 80 71 3B 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 770005 value: E9 8B 4D 1C 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 76934D90 value: E9 7A B2 E3 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 780005 value: E9 EB EB 1C 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 7694EBF0 value: E9 1A 14 E3 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 790005 value: E9 8B 8A 19 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 75928A90 value: E9 7A 75 E6 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 7A0005 value: E9 2B 02 1B 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5884 base: 75950230 value: E9 DA FD E4 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 6E0005 value: E9 8B 2F CA 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 77382F90 value: E9 7A D0 35 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 700005 value: E9 2B BA C4 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 7734BA30 value: E9 DA 45 3B 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 710008 value: E9 8B 8E C8 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 77398E90 value: E9 80 71 37 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 36F0005 value: E9 8B 4D 24 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 76934D90 value: E9 7A B2 DB 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 3700005 value: E9 EB EB 24 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 7694EBF0 value: E9 1A 14 DB 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 3710005 value: E9 8B 8A 21 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 75928A90 value: E9 7A 75 DE 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 3720005 value: E9 2B 02 23 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 5972 base: 75950230 value: E9 DA FD DC 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 6D0005 value: E9 8B 2F CB 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 77382F90 value: E9 7A D0 34 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 840005 value: E9 2B BA B0 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 7734BA30 value: E9 DA 45 4F 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 850008 value: E9 8B 8E B4 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 77398E90 value: E9 80 71 4B 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 880005 value: E9 8B 4D 0B 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 76934D90 value: E9 7A B2 F4 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 890005 value: E9 EB EB 0B 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 7694EBF0 value: E9 1A 14 F4 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 8A0005 value: E9 8B 8A 08 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 75928A90 value: E9 7A 75 F7 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 8C0005 value: E9 2B 02 09 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 4136 base: 75950230 value: E9 DA FD F6 8A Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_014CE8AD rdtsc 8_2_014CE8AD
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA7C.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9DD.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9FD.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA1D.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8A3.tmpJump to dropped file
            Source: C:\Windows\Installer\MSIBC7.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-35088
            Source: C:\Windows\Installer\MSIBA7.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-34896
            Source: C:\Windows\Installer\MSIBA7.tmpAPI coverage: 4.2 %
            Source: C:\Windows\Installer\MSIBC7.tmpAPI coverage: 4.2 %
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002B05E9 FindFirstFileExW,4_2_002B05E9
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009505E9 FindFirstFileExW,5_2_009505E9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00B9D08C FindFirstFileW,8_2_00B9D08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 9_2_00A1D08C FindFirstFileW,9_2_00A1D08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_00B9DCF8 GetSystemInfo,8_2_00B9DCF8
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Server
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000096A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497402388.0000000000975000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Datacenter without Hyper-V Core
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Standard without Hyper-V Full
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000097D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497743132.0000000000978000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminLMEMX<
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000097D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497743132.0000000000978000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Enterprise without Hyper-V Core
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QEMUU
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000096A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497402388.0000000000975000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admin
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/DiagnosticLMEMX0
            Source: MSIBA7.tmp, 00000004.00000002.2086315191.000000000153C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: windows10.exe, 0000000F.00000003.2475316588.000000007FDC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SecureVirtualMachine
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: stVMWare
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: stQEMU
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000096A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Adminh
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000097D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497743132.0000000000978000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000096A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497402388.0000000000975000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytictu
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticLMEM`8
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 6without Hyper-V for Windows Essential Server Solutions
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMh@
            Source: windows10.exe, 0000000F.00000003.2475316588.000000007FDC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fsSecureVirtualMachine
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugLMEM`H
            Source: windows10.exe, 0000000F.00000003.2497150866.0000000000980000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497402388.0000000000980000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ndows-Hyper-V-VID-Analytic
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminLMEMH,
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticLMEMP(
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminLMEM`P
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWare
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DiagnoseLMEMhD
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000097D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497743132.0000000000978000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Standard without Hyper-V Core
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AnalyticLMEMhL
            Source: windows10.exe, 0000000F.00000003.2497150866.0000000000980000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497567155.000000000097D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497743132.0000000000978000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497402388.0000000000980000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Admin
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000097D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2497743132.0000000000978000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analytic
            Source: arquivo.msiBinary or memory string: MvmCiy
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Datacenter without Hyper-V Full
            Source: windows10.exe, 0000000F.00000003.2475103708.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Enterprise without Hyper-V Full
            Source: windows10.exe, 0000000F.00000003.2497567155.000000000096A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnostic
            Source: windows10.exe, 0000000F.00000003.2497150866.000000000094B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000000F.00000003.2496818070.0000000000944000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-OperationalLMEMh4
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 8_2_014CE8AD rdtsc 8_2_014CE8AD
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002983BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_002983BD
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002B03E8 mov eax, dword ptr fs:[00000030h]4_2_002B03E8
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002A843F mov ecx, dword ptr fs:[00000030h]4_2_002A843F
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009503E8 mov eax, dword ptr fs:[00000030h]5_2_009503E8
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_0094843F mov ecx, dword ptr fs:[00000030h]5_2_0094843F
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002B1533 GetProcessHeap,4_2_002B1533
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIBA7.tmp "C:\Windows\Installer\MSIBA7.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002983BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_002983BD
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_0029C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0029C3B6
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_00298553 SetUnhandledExceptionFilter,4_2_00298553
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_00297B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00297B9C
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_0093C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0093C3B6
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_009383BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_009383BD
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_00938553 SetUnhandledExceptionFilter,5_2_00938553
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: 5_2_00937B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00937B9C
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_00277660 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,4_2_00277660
            Source: C:\Windows\Installer\MSIBA7.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\"Jump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_0029801C cpuid 4_2_0029801C
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetLocaleInfoEx,FormatMessageA,4_2_00282161
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetLocaleInfoEx,4_2_002971C1
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetACP,IsValidCodePage,GetLocaleInfoW,4_2_002B3414
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: EnumSystemLocalesW,4_2_002B36B6
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: EnumSystemLocalesW,4_2_002B3701
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: EnumSystemLocalesW,4_2_002AC7A2
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: EnumSystemLocalesW,4_2_002B379C
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_002B3827
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetLocaleInfoW,4_2_002B3A7A
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_002B3BA3
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetLocaleInfoW,4_2_002B3CA9
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetLocaleInfoW,4_2_002ACD1F
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_002B3D78
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetLocaleInfoEx,5_2_009371C1
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetLocaleInfoEx,FormatMessageA,5_2_00922161
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetACP,IsValidCodePage,GetLocaleInfoW,5_2_00953414
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: EnumSystemLocalesW,5_2_009536B6
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: EnumSystemLocalesW,5_2_0095379C
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: EnumSystemLocalesW,5_2_0094C7A2
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: EnumSystemLocalesW,5_2_00953701
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00953827
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetLocaleInfoW,5_2_00953A7A
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_00953BA3
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetLocaleInfoW,5_2_00953CA9
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetLocaleInfoW,5_2_0094CD1F
            Source: C:\Windows\Installer\MSIBC7.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_00953D78
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_00298615 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00298615
            Source: C:\Windows\Installer\MSIBA7.tmpCode function: 4_2_002AD192 GetTimeZoneInformation,4_2_002AD192
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		31
            Windows Management Instrumentation            		11
            Registry Run Keys / Startup Folder            		1
            Exploitation for Privilege Escalation            		121
            Masquerading            		1
            Credential API Hooking            		2
            System Time Discovery            		Remote Services1
            Credential API Hooking            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Disable or Modify Tools            		LSASS Memory171
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Junk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		Logon Script (Windows)11
            Registry Run Keys / Startup Folder            		3
            Virtualization/Sandbox Evasion            		Security Account Manager3
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets11
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync65
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1439020 Sample: arquivo.msi Startdate: 09/05/2024 Architecture: WINDOWS Score: 64 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 8 msiexec.exe 50 54 2->8         started        12 msiexec.exe 3 2->12         started        process3 file4 39 C:\Windows\Installer\MSIBC7.tmp, PE32 8->39 dropped 41 C:\Windows\Installer\MSIBA7.tmp, PE32 8->41 dropped 43 C:\Windows\Installer\MSIA7C.tmp, PE32 8->43 dropped 45 6 other malicious files 8->45 dropped 55 Drops executables to the windows directory (C:\Windows) and starts them 8->55 14 windows10.exe 8->14         started        17 MSIBA7.tmp 1 8->17         started        19 msiexec.exe 8->19         started        21 MSIBC7.tmp 8->21         started        signatures5 process6 signatures7 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->57 23 windows10.exe 14->23         started        26 windows10.exe 14->26         started        28 windows10.exe 14->28         started        32 2 other processes 14->32 30 cmd.exe 1 17->30         started        process8 signatures9 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->53 34 windows10.exe 23->34         started        37 conhost.exe 30->37         started        process10 signatures11 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->51

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            arquivo.msi12%VirustotalBrowse
            arquivo.msi18%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll41%VirustotalBrowse
            C:\Users\user\Pictures\fotosdaviagem\windows10.exe3%ReversingLabs
            C:\Users\user\Pictures\fotosdaviagem\windows10.exe4%VirustotalBrowse
            C:\Windows\Installer\MSI8A3.tmp0%ReversingLabs
            C:\Windows\Installer\MSI8A3.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSI9DD.tmp0%ReversingLabs
            C:\Windows\Installer\MSI9DD.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSI9FD.tmp0%ReversingLabs
            C:\Windows\Installer\MSI9FD.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSIA1D.tmp0%ReversingLabs
            C:\Windows\Installer\MSIA1D.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSIA7C.tmp0%ReversingLabs
            C:\Windows\Installer\MSIA7C.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSIBA7.tmp0%ReversingLabs
            C:\Windows\Installer\MSIBA7.tmp0%VirustotalBrowse
            C:\Windows\Installer\MSIBC7.tmp0%ReversingLabs
            C:\Windows\Installer\MSIBC7.tmp0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.indyproject.org/0%URL Reputationsafe
            http://www.indyproject.org/0%URL Reputationsafe
            http://newsfoos.from-il.com/clientes/inspecionando.php0%Avira URL Cloudsafe
            http://newsfoos.from-il.com/clientes/inspecionando.php0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.audio-tool.netwindows10.exe, 00000008.00000000.2092652640.0000000000497000.00000002.00000001.01000000.00000006.sdmpfalse
              		high
              http://www.indyproject.org/windows10.exe, 0000000F.00000003.2476071768.000000007F8AE000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://newsfoos.from-il.com/clientes/inspecionando.phpcont.cmd.2.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://ip-api.com/json/windows10.exe, 0000000F.00000003.2476071768.000000007F8AE000.00000004.00001000.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1439020
                Start date and time:2024-05-09 17:23:09 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 37s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:17
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:arquivo.msi
                Detection:MAL
                Classification:mal64.evad.winMSI@25/33@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 82%
                • Number of executed functions: 47
                • Number of non-executed functions: 311
                Cookbook Comments:
                • Found application associated with file extension: .msi

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\Pictures\fotosdaviagem\windows10.exez1Intimacao-eletronica.msiGet hashmaliciousUnknownBrowse
                  Nota.msiGet hashmaliciousUnknownBrowse
                    C:\Windows\Installer\MSI8A3.tmp25690.01808D.msiGet hashmaliciousUnknownBrowse
                      fatKCMAGKKH.msiGet hashmaliciousUnknownBrowse
                        SPMServer_2024.3.5.473.exeGet hashmaliciousUnknownBrowse
                          SPMServer_2024.2.1.7.exeGet hashmaliciousUnknownBrowse
                            SPMServer_2024.3.1.22.exeGet hashmaliciousUnknownBrowse
                              Df.mes-25664.msiGet hashmaliciousUnknownBrowse
                                FatRE012024.msiGet hashmaliciousUnknownBrowse
                                  Fat012024.msiGet hashmaliciousUnknownBrowse
                                    BoletoNF0014217112023.pdf.msiGet hashmaliciousUnknownBrowse
                                      UMKA-WCD-.msiGet hashmaliciousUnknownBrowse

                                        Created / dropped Files

                                        C:\Config.Msi\4004ae.rbs

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):9406
                                        Entropy (8bit):5.5224436921270454
                                        Encrypted:false
                                        SSDEEP:96:5wYAAQlZ/RdLc3Yl6MoJmlRERT4g5HN+1pd+raR9mK2TUdBFjQbLe5ui48JyKG3n:57fqdOCetZ2fHk4qMuAuiFamAio1
                                        MD5:4C48DCE5AEA1F460B0202889BB458B53
                                        SHA1:D43BCBE4F2D9FFD45081C6A8676AC75C272DAE8F
                                        SHA-256:98B61765C68F4FC9406C03AFAE313138DD69ECB8FADAD190D6F8DE290F269A4E
                                        SHA-512:9C581404BFE21F9DB809D7C66182994D54AE5B437445AB3E2F4ACE2D84AF19626E8AEA333F6CDD0205EC8DD6048A07FA85E033F4CE2D87F1B109301A2CD11A3F
                                        Malicious:false
                                        Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}..Aplicativo Windows..arquivo.msi.@.....@?....@.....@........&.{109BB442-B9FF-433F-A409-015AAE08B482}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{60715A9F-4AEC-4D83-B87A-914CE6AF84AD}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{232B65CE-07F2-4C09-8446-D0B152043BFA}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{22B4B4EB-20D3-4CCD-A51F-EBD421917779}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{3A6531DD-7594-4904-AAB9-32F10FD461DF}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{4669957E-4874-4408-AF9D-19502B394F45}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{7FA89396-444D-4152-8B48-A5E58414D67B}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{1A182076-3D90-4

                                        C:\Users\user\AppData\Local\Temp\MSI344.LOG

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):246630
                                        Entropy (8bit):3.8145969687329395
                                        Encrypted:false
                                        SSDEEP:1536:zRXXpW3QdLjY/SZn3l/FloG49jO/Tgyjj/AM0yMl2xvDbRU4K4F474T4k5434u4C:lAxYFR8jadzR+U45EazQXAU0/4c
                                        MD5:07EB38056B221AB64B6FE6C7D71EC3EA
                                        SHA1:20740AC35BCFD2D9F3CE778F6BB6FD460A4A1AE3
                                        SHA-256:71EF6BCF5ADF38F4E62803357B9B511CF152DC26E16D9FB1584BFD6BD66ED5AA
                                        SHA-512:0D009DBA6D87FD1164CF8A05F4BECBC30A74188CD112ACCCBA4C095834C17F0CDF6397F75392D5801672057527C2DA6FA13FC32EA44B9A1BEA0A1C407756D89A
                                        Malicious:false
                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.9./.0.5./.2.0.2.4. . .1.7.:.2.3.:.5.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.9.4.:.2.0.). .[.1.7.:.2.3.:.5.4.:.2.0.3.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.9.4.:.2.0.). .[.1.7.:.2.3.:.5.4.:.2.0.3.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.9.4.:.A.4.). .[.1.7.:.2.3.:.5.4.:.2.3.4.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.9.4.:.A.4.). .[.1.7.:.2.3.:.5.4.:.2.3.4.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .

                                        C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):12640768
                                        Entropy (8bit):7.958463558045575
                                        Encrypted:false
                                        SSDEEP:196608:bVzV+ytyA7dT3jBIfTA2lHrENfJQkgM4DLbjqH8NMzgc6fv+iTnoQNy3RkOgBMZK:PAA7V39QAUkgM4vbjqcNItYvrfNtDB
                                        MD5:69A9FF59CD37DE9C7A5E4A38E9278A03
                                        SHA1:516D2E6E54FE2327EC83A8ADA4B2416DDBFB0D43
                                        SHA-256:CB8FE818F967A54AE3E3B3A0DF7E7B4B185CCC174E9163C619501A1EAB5CECFF
                                        SHA-512:4EEE916974CA2C83C959D5535337408F54EE11C775564D7A947B5BD0330C07661C879E946498A7914A59D8D29585A1A84EAF52A287FA0D4745298D13AFB8381C
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Virustotal, Detection: 41%, Browse
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....FQd..................-.........+.........-...@..........................P].........................................&-.. .E......0]......................@]......................................................P......X........................text.....-......................... ..`.itext........-..................... ..`.data....x....-.....................@....bss.....X...@...........................idata..`8..........................@....didata.l...........................@....edata..&-..........................@..@.rdata..E.... /.....................@..@.lbI....B.m..0/..................... ..`.4FN.........P......................@...._0T....p....`...................... ..`.rsrc........0].....................@..@.reloc.......@].....................@..B..................... 4......n3.............@..@........................................................

                                        C:\Users\user\Pictures\fotosdaviagem\Windows.cmd

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):196
                                        Entropy (8bit):4.891201943788933
                                        Encrypted:false
                                        SSDEEP:3:mKDDktbrXj18BIDQK1ERNLw2ABOA53kfNINAgAEFWREX6EEDQobhL3T18BQQUT+:hwFDJRku4NfIOc/Q3RVPRbj5QZ
                                        MD5:1951A22DD00589B9D64F27075C96188B
                                        SHA1:4CBEDB39A682D217EA63693346D337E032B85A28
                                        SHA-256:F1560195A61B8DFB6FDCA79B328F2D221187EFA8932DC9A4232C317BF8151292
                                        SHA-512:41E39FEE27A854C0F68CC70633F4CF51131E5EB15CE693DB3E6CA90321E32B836E9497A111965AB20B65BFBF68CF5CCEB28D14073EBB2DBA7D1C9258BC55E084
                                        Malicious:false
                                        Preview:@echo off..REM --- Criar o servi.o ---..sc create MeuServico binPath= "%USERPROFILE%\Pictures\fotosdaviagem\windows10.exe" start= auto..REM --- Iniciar o servi.o ---..sc start MeuServico....exit

                                        C:\Users\user\Pictures\fotosdaviagem\cdburner.md

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):16156854
                                        Entropy (8bit):7.999987454770361
                                        Encrypted:true
                                        SSDEEP:393216:b3jVMSUmx4twho2HfoWAN+d+Gstcdq5Z92/72X4o/o:LjGo4tMfFItcUn92xo/o
                                        MD5:697FF336A8F1278BEBD9FA3358BAE2BA
                                        SHA1:39514D8961C976B25E803A8EDF65AF1928D2CD2E
                                        SHA-256:918DE41CB24F5BE5A473B2D0881FEE5D56869640742F37466CBCAF5FD154E9CE
                                        SHA-512:32F943FEA634E6FB0C0B2D4E934FC671838611CEB9068840C6E7CE99036E06BE94E88B38256AC57729DF1983E0B5DC1474F7458CA32EF371B0D84077656FBDAF
                                        Malicious:false
                                        Preview:r/.fn...W.k........W.&r..r}.....B.N......N8..#.%..s..\A?.(am.|..x).....=.3}SzIU..9.R...Q.V....'.f-^..@..... .e\l7..[%.]r..N\....9.z.V...}o....I.....?B......e%.=...x.@..+U..4.U..R...j(b..9...C.o.#U.w..U!F.18......M]......D..*'Zx....n3.....Ql..U=B..,..q/..0mC...~..n....:..4. /.@.$...q|..>.fd3.u.E.X..I.........T.............s@..[/f.x:^..F*..?.).}pnx._..=...n......J..{x7...Z!F.hat....@4g.<..!=..Q9..F.E5...V~.B.1$...\.``=....;A...#.ab.3#ZA%.....S.<".@@T(@H.0.a..G`B..o..{$a1.%_......x.Q..)C....^.r..%i.,O\r..#...a.p....<...N...!6.4.r..Is.W.(..:6..........St..(..%...C..f`ZR..+.zK....."d..FwL..TR...]8.9...3.HX>;@m.v&+'.....r.)*...`n.Z...."..7;.N........wJ.*1....g..........V."....(7u.M..,o..z.R.&..w.v4.U./..V.b.\.o.z.M.i7.L.e...,U.S+.v6.P...`.w .PB.f.......j..,.:.C\...Fc..:...`:=.X......26.......G^..l.`..f.....[...x...6...v....Y.c..M.U..]k..1..).&...@...].bf.....@. .pZ.0.(.}...k...1.....:.d]L../.~.V>|qQ..t.5.>I#..>....<l...g..@]...k9kF.,!.."%h...z

                                        C:\Users\user\Pictures\fotosdaviagem\cdburnerConnect

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):54
                                        Entropy (8bit):5.245447224305563
                                        Encrypted:false
                                        SSDEEP:3:3ugfKvpkPxBKS9Gr236TOf:+giveJr9Upg
                                        MD5:51C2C6285991EF6126010B102782B43D
                                        SHA1:9CAEC981404A3BAD4536CB42DE557EB1CFECB085
                                        SHA-256:3692E5F68D8F5D3A8A3782FAAC232D89C74E37ED8E9EF2853AEE0147E4D2659C
                                        SHA-512:9C99EE675E9D3F9320DEFF79F23B062B2E563C5E1824089DA4825F25E8F8A87E0E870758EDAA4610C78F850EA2355886CE5F30DE51C1536F8713E9045999D48E
                                        Malicious:false
                                        Preview:jn8r4IjEzoJLa1cjTx5vc2C9Sk3Ff7+76/nuToKOtShN..oKPv+W/D

                                        C:\Users\user\Pictures\fotosdaviagem\cont.cmd

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.236243412983059
                                        Encrypted:false
                                        SSDEEP:3:jhRp3WSKIIIyGGJMuhyVY1QVn:jHp3WWqGGJM+yVY1QV
                                        MD5:BC780D86E260181596F795744F5A8FEB
                                        SHA1:9F09EC13020AEB19D914DFB9B322906D35BBFADB
                                        SHA-256:92714D26B51C101F984868717F8F93BBAE71E3CEC88E6E1260BE16D0E50DD99D
                                        SHA-512:66BBC45561D51A05851AE5E535FA555F38A5EBB614E24F47883589F8972E9CC2C1B7928357FB82646CD98AD730551C481E1F180999A88F553474E253E53F594F
                                        Malicious:false
                                        Preview:Start http://newsfoos.from-il.com/clientes/inspecionando.php

                                        C:\Users\user\Pictures\fotosdaviagem\settings.xml

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1793
                                        Entropy (8bit):7.888051089019235
                                        Encrypted:false
                                        SSDEEP:48:PCSBPCF4qYtOIt9Oxi0/1YapmAg7VZNPVs:PvCFxYzmxN3mAYNS
                                        MD5:FEBE516EE835A50D940B2413596527C4
                                        SHA1:E38B8178C37973A7E43F1EE183F08FCFFFAEC5AC
                                        SHA-256:2E62CCA2526CD1355D85F607DCD274F05C808DB6AD9FCA42DC9371A30DB52652
                                        SHA-512:C719989A043475CFC1CDF3EBAE5E27DC721F025279F7EB3F3E1FA52D1A0F440214F77986EC4D18BFE1FFC6905C512198DBA0A0299D1FE7EDA66BD0E7205E772F
                                        Malicious:false
                                        Preview:..5....\..).X.rBA..F..3^,..p.U%#O.5....q.a..U.G.......o....5...*....&O.:....T..z...d.....[.....k.8S....0..{W$HP.b2&E....u..x..,l[T.0]..Q.[*..X_,7`...m.@....@...u....r..E....P.:[.{.\.X..&>..r._ue..Y.......^....x... 4\.u.....D-...v.z.M...1.q..j.....9*a'...Y..fL)...,442$pw .|7mu....$.s..od..Bl.....@...qo.#.....n.!.I....*B.a.DA...sv.>.;..$D....`c....TiI%.-..h.>..6}]e..7..y?.5...10W13.,]&^U\.O.).a.9.s..).4*.h...LV..z9..0...F.M......S{..~.rki....Q..&.#.f3....Ob......(...m...B.Q...m.p..W....zj.=..J.6.8....t..6.......R.,m...<(m.J....1.....g...j..a........,.._....P...t.....K..|~D.%.8.zLC{...P.....{W.U..z:.k........U..D@....Q....T.V....p..Mo..B.)#.'...nu:..o....o..H..j.X.........6... (wq.K. ..K.@.....I.fK..a.4..P.wcS.... .b..'C7....ha..3.S..(.fH'.(.Jj.;...Wq8..c........7.{.7.E..-l.t.!.P.6..&:...r7.-z...|Pm.8.6.~..L..r.Z.A.o*Q......@.L...q.2 %..f.G.^...S...A/.Q.n..Rq..".VQG!..n..[:X>..5....v.L.c..zc.F.Y.p..m..>.+9..G...,g6.U..;B)..Mp.....H?F....k.\.co|....

                                        C:\Users\user\Pictures\fotosdaviagem\windows10.exe

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1626280
                                        Entropy (8bit):7.371352775782398
                                        Encrypted:false
                                        SSDEEP:49152:H4jyNKd2Bqc8Y7IDbauSVGDzhGjThGDzhmj8L5NsmK2:H4Fd2Bqc8Y7IDbauSVGDzhGjThGDzhmL
                                        MD5:BDC0CFF1E6E3DB489864041A623F0D1E
                                        SHA1:CF1BEEEC71ABBFBE8A6F47ABAAA6C1AF2FEE37DC
                                        SHA-256:585741CA3C4041BB39D107F1F159D908650967FBCCAC3A491BCA389CC4BA0769
                                        SHA-512:AEAF1D2DA43584AE91EA032C59A945AB91F721CC3B5BB98C2C7096DFD8C728B4EBF735491E06E934B4B1C9F1CCC719F950AD6F45E212F638B52C7AF5EFCC18DB
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 3%
                                        • Antivirus: Virustotal, Detection: 4%, Browse
                                        Joe Sandbox View:
                                        • Filename: z1Intimacao-eletronica.msi, Detection: malicious, Browse
                                        • Filename: Nota.msi, Detection: malicious, Browse
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@........................... .../... .......................p..p............................`......................................................CODE................................ ..`DATA....p...........................@...BSS......................................idata.../... ...0..................@....tls.........P.......0...................rdata.......`.......0..............@..P.reloc..p....p.......2..............@..P.rsrc........ ......................@..P....................................@..P........................................................................................................................................

                                        C:\Windows\Installer\4004ac.msi

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {109BB442-B9FF-433F-A409-015AAE08B482}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu May 9 06:30:32 2024, Number of Pages: 200
                                        Category:dropped
                                        Size (bytes):30681088
                                        Entropy (8bit):7.979383601607887
                                        Encrypted:false
                                        SSDEEP:393216:eZnn14DbxKsHflWWJpfozkGxcOKzzTWh5CR0rYb8JPt3HPRoJQ6YQ5qMJ8K4RIyk:On1stHfbfy4zTE8R0BPt3vRo/F2w
                                        MD5:8FCB7D96688206BAA33E4093593351F9
                                        SHA1:6BE55CEC7D9C516E3ECE68C7B909DDAE463A67A1
                                        SHA-256:3779B1BEA09E5CFAA95B068ABAC91ABA4585390C529EFF5B163AB0B0C14F9F99
                                        SHA-512:2CEB7444E27CC6FC5CA25CE3E762208B37897A598F029A85EFD67F258D4A71B8A07680F5D7FCBDA4E8E04F32385E6A5422FE2A52C6BB8C3157D0704427D08C2F
                                        Malicious:false
                                        Preview:......................>.......................................................G.......c.......u...............................O...P...Q...R...S...T...U...V...W...........................................................................................................................................................................................................................................................................................................................................................................=...................$...5....................................................................................... ...!..."...#...,...%...&...'...(...)...*...+...-.......3.../...0...1...2...6...4...>...A...7...8...9...:...;...<...........?...@.......B...C...D...E...F...........I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                        C:\Windows\Installer\MSI8A3.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):601920
                                        Entropy (8bit):6.469032452979565
                                        Encrypted:false
                                        SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                        MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                        SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                        SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                        SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                        Joe Sandbox View:
                                        • Filename: 25690.01808D.msi, Detection: malicious, Browse
                                        • Filename: fatKCMAGKKH.msi, Detection: malicious, Browse
                                        • Filename: SPMServer_2024.3.5.473.exe, Detection: malicious, Browse
                                        • Filename: SPMServer_2024.2.1.7.exe, Detection: malicious, Browse
                                        • Filename: SPMServer_2024.3.1.22.exe, Detection: malicious, Browse
                                        • Filename: Df.mes-25664.msi, Detection: malicious, Browse
                                        • Filename: FatRE012024.msi, Detection: malicious, Browse
                                        • Filename: Fat012024.msi, Detection: malicious, Browse
                                        • Filename: BoletoNF0014217112023.pdf.msi, Detection: malicious, Browse
                                        • Filename: UMKA-WCD-.msi, Detection: malicious, Browse
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSI9DD.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):601920
                                        Entropy (8bit):6.469032452979565
                                        Encrypted:false
                                        SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                        MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                        SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                        SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                        SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSI9FD.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):601920
                                        Entropy (8bit):6.469032452979565
                                        Encrypted:false
                                        SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                        MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                        SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                        SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                        SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSIA1D.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):601920
                                        Entropy (8bit):6.469032452979565
                                        Encrypted:false
                                        SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                        MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                        SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                        SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                        SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSIA7C.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):601920
                                        Entropy (8bit):6.469032452979565
                                        Encrypted:false
                                        SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                        MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                        SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                        SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                        SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSIB77.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8550
                                        Entropy (8bit):5.415787680099845
                                        Encrypted:false
                                        SSDEEP:192:I7L5VE2UC609rTczGj7UYIzwrKtHoiF5O:IHPLL6Qcu7UYvWtHoG5O
                                        MD5:09035F5C77C468CC530B1324D3662C61
                                        SHA1:978A7B3B4DBC2DDD26312AE02DDAA8FB27F3F510
                                        SHA-256:8206FF03142428879690B6B3F623FC9CE0982FE8A7BFC0C8DC69C412C39B84DA
                                        SHA-512:B07327F1FB5DB65B74A14B750A553CB7AE2343287E3EDC82434CA03296F7F831B30B77B82AACDC13CF2264B202E90303CE474BE0D5AE9BA5655AC9AC93227AE3
                                        Malicious:false
                                        Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}..Aplicativo Windows..arquivo.msi.@.....@?....@.....@........&.{109BB442-B9FF-433F-A409-015AAE08B482}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@ ....@.....@.]....&.{60715A9F-4AEC-4D83-B87A-914CE6AF84AD}..C:\Users\user\Documents\.@.......@.....@.....@......&.{232B65CE-07F2-4C09-8446-D0B152043BFA}1.01:\Software\Microsoft\Aplicativo Windows\Version.@.......@.....@.....@......&.{22B4B4EB-20D3-4CCD-A51F-EBD421917779}..01:\Microsoft\.@.......@.....@.....@......&.{3A6531DD-7594-4904-AAB9-32F10FD461DF}..01:\Microsoft\Windows\.@.......@.....@.....@......&.{4669957E-4874-4408-AF9D-19502B394F45}%.01:\Microsoft\Windows\CurrentVersion\.@.......@.....@.....@......&.{7FA8939

                                        C:\Windows\Installer\MSIBA7.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):423936
                                        Entropy (8bit):6.554049394581909
                                        Encrypted:false
                                        SSDEEP:12288:B/ePEitwJH6g7scgFzMzMHf7h453V6hEFM:B/EEimJH6g7scSzMQDC5lfC
                                        MD5:768B35409005592DE2333371C6253BC8
                                        SHA1:E370B3CFD801FCDFDBEEC90B0F7CBEF5D2E6B69C
                                        SHA-256:33B519696A7F4B5D4714E3A363B0F0F76E6FF576A05999E482EA484AD4ACF5A5
                                        SHA-512:BB8FAE0FDCE3D61DAB48C1F79F3CE498159364D51FDFD2481CCA3A60D009F6134194D48EA20DE3E1F0C236BB9F6368F82D737A8153F7A1D492F44E197EA971CE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.g[..g[..g[.T.X..g[.T.^.)g[.8._..g[.8.X..g[.8.^..g[.T._..g[.T.]..g[.T.Z..g[..gZ.Kg[.^.R..g[.^....g[..g..g[.^.Y..g[.Rich.g[.................PE..L...s,Jd.........."....#..........................@.................................._....@..........................................p..8........................:..(...p...........................h...@...............l............................text.............................. ..`.rdata...R.......T..................@..@.data....7...0......................@....rsrc...8....p.......0..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSIBC7.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):423936
                                        Entropy (8bit):6.554049394581909
                                        Encrypted:false
                                        SSDEEP:12288:B/ePEitwJH6g7scgFzMzMHf7h453V6hEFM:B/EEimJH6g7scSzMQDC5lfC
                                        MD5:768B35409005592DE2333371C6253BC8
                                        SHA1:E370B3CFD801FCDFDBEEC90B0F7CBEF5D2E6B69C
                                        SHA-256:33B519696A7F4B5D4714E3A363B0F0F76E6FF576A05999E482EA484AD4ACF5A5
                                        SHA-512:BB8FAE0FDCE3D61DAB48C1F79F3CE498159364D51FDFD2481CCA3A60D009F6134194D48EA20DE3E1F0C236BB9F6368F82D737A8153F7A1D492F44E197EA971CE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.g[..g[..g[.T.X..g[.T.^.)g[.8._..g[.8.X..g[.8.^..g[.T._..g[.T.]..g[.T.Z..g[..gZ.Kg[.^.R..g[.^....g[..g..g[.^.Y..g[.Rich.g[.................PE..L...s,Jd.........."....#..........................@.................................._....@..........................................p..8........................:..(...p...........................h...@...............l............................text.............................. ..`.rdata...R.......T..................@..@.data....7...0......................@....rsrc...8....p.......0..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\SourceHash{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.1628032188041506
                                        Encrypted:false
                                        SSDEEP:12:JSbX72FjriAGiLIlHVRpY5h/7777777777777777777777777vDHFBA2hpdl0i8Q:JQQI5eT5cF
                                        MD5:7EF58192128B4A71669FF5A4350666CA
                                        SHA1:EF32CA7FBBC4723F26CBCC08708CC49CA4E51C7C
                                        SHA-256:4B7D8BEE1F616FF1B161BD0223041461200F251292C6F9115F631FDD08AD0A55
                                        SHA-512:441E9C85E1447A0BB6D08100FA6EADE58A471DE3B3A21EC0178D6493EAD42A8DE84B2E597D390BBA23443ADF1952C3F50F0497AA69D49739201547B5784F2EE4
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.4954921674829027
                                        Encrypted:false
                                        SSDEEP:48:/8PhiuRc06WXJ0nT5KP2ReISyKAEbCyjMHBISyAT:+hi13nT1UIPRwC0MhIP
                                        MD5:A0EED5509C380E1A094F4C21D774C941
                                        SHA1:D7093204EC43B2D538DEE47BACDC6703BECBF276
                                        SHA-256:957DF7CB98C63045BA7037D89A4CA9F43FD093618A978C78BB39CDFD62148CB8
                                        SHA-512:5835B1E99F1C8C1868C781390F02EAB24C58B6AD91CCF7337595BD10E78652760F2EA20DEA63FA3076CF05A8F65231E6DBAE2EF65915320631CC43F827E37E4B
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):360001
                                        Entropy (8bit):5.362985039378909
                                        Encrypted:false
                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauf:zTtbmkExhMJCIpEC
                                        MD5:93A8E2291273825DCE5A568FF2297E03
                                        SHA1:10AFADDA7D0DFADE78788E36B94BB387FAFD239B
                                        SHA-256:9A267779E4FA28EBF7B72796E6324163EB0FF6C103AB35F54BA5C6CFEEC89E76
                                        SHA-512:89B45D9E465772A6EDCF07EB3C84A8369B25ECFE5725E419ED5E92A1F66F319E74906F76B8F09DBC449F827F83C92DBA41B4E1DE1B6AA9B4CC1A5ACBAE858C0B
                                        Malicious:false
                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                        C:\Windows\Temp\~DF0144E023390EEDE9.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2039605291214024
                                        Encrypted:false
                                        SSDEEP:48:DnquaM+CFXJLT5IP2ReISyKAEbCyjMHBISyAT:bqCzTXUIPRwC0MhIP
                                        MD5:37F32FBEE71ACF0686E47866EF8FA183
                                        SHA1:F26B681A082DB9358E8B98B9FBCE3566A4084142
                                        SHA-256:D882BDF830A2A8E669BF60AF1777B11DC662939452CCF0FD22EC77CB37D230FF
                                        SHA-512:D9796BA7A46BF1657E12B1F4F7EA0A35F4E08A43FB8ED969B7E8228DFB05ABB93D4549A7F236DECEB451E6EED228EDA9DC2F1DE4B26FC0FD407205070925B9D2
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF4D0539767ED457D4.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.4954921674829027
                                        Encrypted:false
                                        SSDEEP:48:/8PhiuRc06WXJ0nT5KP2ReISyKAEbCyjMHBISyAT:+hi13nT1UIPRwC0MhIP
                                        MD5:A0EED5509C380E1A094F4C21D774C941
                                        SHA1:D7093204EC43B2D538DEE47BACDC6703BECBF276
                                        SHA-256:957DF7CB98C63045BA7037D89A4CA9F43FD093618A978C78BB39CDFD62148CB8
                                        SHA-512:5835B1E99F1C8C1868C781390F02EAB24C58B6AD91CCF7337595BD10E78652760F2EA20DEA63FA3076CF05A8F65231E6DBAE2EF65915320631CC43F827E37E4B
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF68435D5335CC2992.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF6933EECA2310CB41.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.4954921674829027
                                        Encrypted:false
                                        SSDEEP:48:/8PhiuRc06WXJ0nT5KP2ReISyKAEbCyjMHBISyAT:+hi13nT1UIPRwC0MhIP
                                        MD5:A0EED5509C380E1A094F4C21D774C941
                                        SHA1:D7093204EC43B2D538DEE47BACDC6703BECBF276
                                        SHA-256:957DF7CB98C63045BA7037D89A4CA9F43FD093618A978C78BB39CDFD62148CB8
                                        SHA-512:5835B1E99F1C8C1868C781390F02EAB24C58B6AD91CCF7337595BD10E78652760F2EA20DEA63FA3076CF05A8F65231E6DBAE2EF65915320631CC43F827E37E4B
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF9694866A7CB5E184.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFA153C33353A3F53D.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):0.06960580693081389
                                        Encrypted:false
                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOBAbau0tqVky6lf1:2F0i8n0itFzDHFBA2Dd
                                        MD5:43BB15BA130BA0F94975D8814DA37946
                                        SHA1:FD1B14A0738F868270B2C8E1F191B745910DF974
                                        SHA-256:C5A8E2D9629DE3B4B49C6807753DD02C82C8B2DC2B62E8221418A80787E21B9E
                                        SHA-512:3254140CDFEFBE596D43C36B89329A3948B62DADC7A13ED5AC2AF34969D9B4BD8AA77640A1247E27F568ABC0A071E9F324BC1A1FA12A81B9D4C819EA38037199
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFA3D611818BEA76EA.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2039605291214024
                                        Encrypted:false
                                        SSDEEP:48:DnquaM+CFXJLT5IP2ReISyKAEbCyjMHBISyAT:bqCzTXUIPRwC0MhIP
                                        MD5:37F32FBEE71ACF0686E47866EF8FA183
                                        SHA1:F26B681A082DB9358E8B98B9FBCE3566A4084142
                                        SHA-256:D882BDF830A2A8E669BF60AF1777B11DC662939452CCF0FD22EC77CB37D230FF
                                        SHA-512:D9796BA7A46BF1657E12B1F4F7EA0A35F4E08A43FB8ED969B7E8228DFB05ABB93D4549A7F236DECEB451E6EED228EDA9DC2F1DE4B26FC0FD407205070925B9D2
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFB48B201223007D0E.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFC1E15A26A5EC5EA6.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFD971E2852E043DA9.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2039605291214024
                                        Encrypted:false
                                        SSDEEP:48:DnquaM+CFXJLT5IP2ReISyKAEbCyjMHBISyAT:bqCzTXUIPRwC0MhIP
                                        MD5:37F32FBEE71ACF0686E47866EF8FA183
                                        SHA1:F26B681A082DB9358E8B98B9FBCE3566A4084142
                                        SHA-256:D882BDF830A2A8E669BF60AF1777B11DC662939452CCF0FD22EC77CB37D230FF
                                        SHA-512:D9796BA7A46BF1657E12B1F4F7EA0A35F4E08A43FB8ED969B7E8228DFB05ABB93D4549A7F236DECEB451E6EED228EDA9DC2F1DE4B26FC0FD407205070925B9D2
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFE4353A2F75B4ADCC.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFE508DD175E8A5FC6.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):73728
                                        Entropy (8bit):0.11203891627058177
                                        Encrypted:false
                                        SSDEEP:24:eisoTxkIipVkSkIipVkKAEVkyjCyjMHVgwG0Iz8+YNT:DTuISyVISyKAEbCyjMH883T
                                        MD5:723FD8D605934D1E350505D34D9C17D9
                                        SHA1:66A58568FAFF0B69B4DC4379514F62DFB9621850
                                        SHA-256:8C30286691BDE83040DC1E9EB821C77A03E874C9749A8330816811DB51E67781
                                        SHA-512:4AE23A903AECC17D8F9FF36475355FFD413B5EFE8D75093A01686FB77957F8EAE77C159CE503A882544A4D7978B27520496EACBCA43FE76B0789447807F6798A
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {109BB442-B9FF-433F-A409-015AAE08B482}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu May 9 06:30:32 2024, Number of Pages: 200
                                        Entropy (8bit):7.979383601607887
                                        TrID:
                                        • Windows SDK Setup Transform Script (63028/2) 47.91%
                                        • Microsoft Windows Installer (60509/1) 46.00%
                                        • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                        File name:arquivo.msi
                                        File size:30'681'088 bytes
                                        MD5:8fcb7d96688206baa33e4093593351f9
                                        SHA1:6be55cec7d9c516e3ece68c7b909ddae463a67a1
                                        SHA256:3779b1bea09e5cfaa95b068abac91aba4585390c529eff5b163ab0b0c14f9f99
                                        SHA512:2ceb7444e27cc6fc5ca25ce3e762208b37897a598f029a85efd67f258d4a71b8a07680f5d7fcbda4e8e04f32385e6a5422fe2a52c6bb8c3157d0704427d08c2f
                                        SSDEEP:393216:eZnn14DbxKsHflWWJpfozkGxcOKzzTWh5CR0rYb8JPt3HPRoJQ6YQ5qMJ8K4RIyk:On1stHfbfy4zTE8R0BPt3vRo/F2w
                                        TLSH:B9673322B6CBCA32D96D0076E969FE5D047CAE63473011D7B7E57D2E88B08C25275B83
                                        File Content Preview:........................>.......................................................G.......c.......u...............................O...P...Q...R...S...T...U...V...W..............................................................................................

                                        File Icon

                                        Icon Hash:2d2e3797b32b2b99

                                        Network Behavior

                                        No network behavior found

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:17:23:54
                                        Start date:09/05/2024
                                        Path:C:\Windows\System32\msiexec.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\arquivo.msi"
                                        Imagebase:0x7ff67f630000
                                        File size:69'632 bytes
                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:17:23:54
                                        Start date:09/05/2024
                                        Path:C:\Windows\System32\msiexec.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                        Imagebase:0x7ff67f630000
                                        File size:69'632 bytes
                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:3
                                        Start time:17:23:55
                                        Start date:09/05/2024
                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E96AADE6A8E7D98403310AC332619A98
                                        Imagebase:0xbb0000
                                        File size:59'904 bytes
                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:17:23:56
                                        Start date:09/05/2024
                                        Path:C:\Windows\Installer\MSIBA7.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Installer\MSIBA7.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                                        Imagebase:0x270000
                                        File size:423'936 bytes
                                        MD5 hash:768B35409005592DE2333371C6253BC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        • Detection: 0%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:17:23:56
                                        Start date:09/05/2024
                                        Path:C:\Windows\Installer\MSIBC7.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Installer\MSIBC7.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                                        Imagebase:0x910000
                                        File size:423'936 bytes
                                        MD5 hash:768B35409005592DE2333371C6253BC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        • Detection: 0%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:6
                                        Start time:17:23:56
                                        Start date:09/05/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Pictures\fotosdaviagem\Windows.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\"
                                        Imagebase:0x1c0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:17:23:56
                                        Start date:09/05/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:17:23:57
                                        Start date:09/05/2024
                                        Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe"
                                        Imagebase:0x400000
                                        File size:1'626'280 bytes
                                        MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000002.3318963670.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 3%, ReversingLabs
                                        • Detection: 4%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:9
                                        Start time:17:24:04
                                        Start date:09/05/2024
                                        Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup
                                        Imagebase:0x400000
                                        File size:1'626'280 bytes
                                        MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000002.3317317443.0000000000A11000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:10
                                        Start time:17:24:04
                                        Start date:09/05/2024
                                        Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token
                                        Imagebase:0x400000
                                        File size:1'626'280 bytes
                                        MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000A.00000002.3318176983.0000000000971000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:11
                                        Start time:17:24:04
                                        Start date:09/05/2024
                                        Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.
                                        Imagebase:0x400000
                                        File size:1'626'280 bytes
                                        MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000002.3318022189.0000000000931000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:12
                                        Start time:17:24:04
                                        Start date:09/05/2024
                                        Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474
                                        Imagebase:0x400000
                                        File size:1'626'280 bytes
                                        MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000002.3317187917.00000000009B1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:13
                                        Start time:17:24:04
                                        Start date:09/05/2024
                                        Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958
                                        Imagebase:0x400000
                                        File size:1'626'280 bytes
                                        MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000D.00000002.3317598511.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:15
                                        Start time:17:24:26
                                        Start date:09/05/2024
                                        Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
                                        Imagebase:0x400000
                                        File size:1'626'280 bytes
                                        MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:1.3%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:14.1%
                                          Total number of Nodes:347
                                          Total number of Limit Nodes:9
                                          execution_graph 34893 277f70 34896 277fd0 GetTokenInformation 34893->34896 34897 277fa8 34896->34897 34898 27804e GetLastError 34896->34898 34898->34897 34899 278059 34898->34899 34900 27809e GetTokenInformation 34899->34900 34901 278069 ctype 34899->34901 34902 278079 34899->34902 34900->34897 34901->34900 34905 278260 45 API calls 3 library calls 34902->34905 34904 278082 34904->34900 34905->34904 34906 297e5e 34907 297e6a ___scrt_is_nonwritable_in_current_image 34906->34907 34932 2979c1 34907->34932 34909 297e71 34910 297fc4 34909->34910 34920 297e9b ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 34909->34920 34979 2983bd 4 API calls 2 library calls 34910->34979 34912 297fcb 34980 2a854c 23 API calls __CreateFrameInfo 34912->34980 34914 297fd1 34981 2a8510 23 API calls __CreateFrameInfo 34914->34981 34916 297fd9 34917 297eba 34918 297f3b 34943 2984d8 34918->34943 34920->34917 34920->34918 34978 2a8526 41 API calls 4 library calls 34920->34978 34921 297f41 34947 281a20 GetCommandLineW 34921->34947 34933 2979ca 34932->34933 34982 29801c IsProcessorFeaturePresent 34933->34982 34935 2979d6 34983 29ae59 10 API calls 2 library calls 34935->34983 34937 2979db 34942 2979df 34937->34942 34984 2a8fb0 34937->34984 34940 2979f6 34940->34909 34942->34909 35043 298e90 34943->35043 34945 2984eb GetStartupInfoW 34946 2984fe 34945->34946 34946->34921 34948 281a60 34947->34948 35044 274ec0 LocalAlloc 34948->35044 34950 281a71 35045 278ba0 34950->35045 34952 281ac9 34953 281add 34952->34953 34954 281acd 34952->34954 35053 280b70 LocalAlloc LocalAlloc 34953->35053 35101 278790 81 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 34954->35101 34957 281ae9 35054 280e90 34957->35054 34958 281ad6 34959 281c26 ExitProcess 34958->34959 34965 281b2b 35072 27ae00 34965->35072 34967 281bb4 34972 281c08 34967->34972 35078 278e20 34967->35078 34968 281b82 34968->34967 34969 2729d0 44 API calls 34968->34969 34969->34967 34971 281bef 34971->34972 34973 281bfb 34971->34973 35103 274000 42 API calls 34972->35103 35102 281400 CreateFileW SetFilePointer WriteFile CloseHandle 34973->35102 34976 281c17 35104 281c30 LocalFree LocalFree 34976->35104 34978->34918 34979->34912 34980->34914 34981->34916 34982->34935 34983->34937 34988 2b154e 34984->34988 34987 29ae78 7 API calls 2 library calls 34987->34942 34989 2b155e 34988->34989 34990 2979e8 34988->34990 34989->34990 34992 2ac2f6 34989->34992 34990->34940 34990->34987 34993 2ac302 ___scrt_is_nonwritable_in_current_image 34992->34993 35004 2a72ca EnterCriticalSection 34993->35004 34995 2ac309 35005 2b1abc 34995->35005 35000 2ac322 35019 2ac246 GetStdHandle GetFileType 35000->35019 35001 2ac338 35001->34989 35003 2ac327 35020 2ac34d LeaveCriticalSection std::_Lockit::~_Lockit 35003->35020 35004->34995 35006 2b1ac8 ___scrt_is_nonwritable_in_current_image 35005->35006 35007 2b1af2 35006->35007 35008 2b1ad1 35006->35008 35021 2a72ca EnterCriticalSection 35007->35021 35029 29c6b0 14 API calls __Wcscoll 35008->35029 35011 2b1ad6 35030 29c5b2 41 API calls collate 35011->35030 35013 2b1b2a 35031 2b1b51 LeaveCriticalSection std::_Lockit::~_Lockit 35013->35031 35014 2ac318 35014->35003 35018 2ac190 44 API calls 35014->35018 35015 2b1afe 35015->35013 35022 2b1a0c 35015->35022 35018->35000 35019->35003 35020->35001 35021->35015 35032 2ac72b 35022->35032 35024 2b1a1e 35028 2b1a2b 35024->35028 35039 2acddf 6 API calls std::_Lockit::_Lockit 35024->35039 35027 2b1a80 35027->35015 35040 2aaa28 14 API calls 2 library calls 35028->35040 35029->35011 35030->35014 35031->35014 35033 2ac738 __cftoe 35032->35033 35034 2ac778 35033->35034 35035 2ac763 RtlAllocateHeap 35033->35035 35041 2b15f6 EnterCriticalSection LeaveCriticalSection __cftoe 35033->35041 35042 29c6b0 14 API calls __Wcscoll 35034->35042 35035->35033 35037 2ac776 35035->35037 35037->35024 35039->35024 35040->35027 35041->35033 35042->35037 35043->34945 35044->34950 35047 278bf2 35045->35047 35046 278c34 35048 297708 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 35046->35048 35047->35046 35050 278c22 35047->35050 35049 278c42 35048->35049 35049->34952 35105 297708 35050->35105 35052 278c30 35052->34952 35053->34957 35055 280ea4 35054->35055 35060 281242 35054->35060 35056 2812a0 35055->35056 35055->35060 35113 2783e0 14 API calls 35056->35113 35058 2812b0 RegOpenKeyExW 35059 2812ce RegQueryValueExW 35058->35059 35058->35060 35059->35060 35061 2729d0 35060->35061 35062 2729f1 35061->35062 35062->35062 35114 273b40 35062->35114 35064 272a09 35065 279110 35064->35065 35133 272a10 35065->35133 35067 279156 35151 2798d0 35067->35151 35073 27ae0d 35072->35073 35074 27ae0a 35072->35074 35075 27ae1a ___vcrt_FlsFree 35073->35075 35199 2a0f1e 42 API calls 2 library calls 35073->35199 35074->34968 35075->34968 35077 27ae2d 35077->34968 35079 278e54 35078->35079 35080 278e69 35078->35080 35079->34971 35200 275f90 GetCurrentProcess OpenProcessToken 35080->35200 35082 278e7c 35083 278f3e 35082->35083 35085 278e96 35082->35085 35205 271fc0 66 API calls 35083->35205 35257 271fc0 66 API calls 35085->35257 35086 278f65 35206 271fc0 66 API calls 35086->35206 35089 278eaa 35258 271fc0 66 API calls 35089->35258 35090 278f7a 35207 271fc0 66 API calls 35090->35207 35093 278ec7 35259 271fc0 66 API calls 35093->35259 35094 278f8b 35208 277660 35094->35208 35097 278ed5 35260 276ee0 160 API calls 3 library calls 35097->35260 35099 278eed 35100 278fa4 35099->35100 35100->34971 35101->34958 35102->34972 35103->34976 35104->34959 35106 297711 IsProcessorFeaturePresent 35105->35106 35107 297710 35105->35107 35109 297bd9 35106->35109 35107->35052 35112 297b9c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 35109->35112 35111 297cbc 35111->35052 35112->35111 35113->35058 35115 273c15 35114->35115 35122 273b54 35114->35122 35131 273680 42 API calls collate 35115->35131 35116 273b60 _Yarn 35116->35064 35118 273b8d 35121 273c10 35118->35121 35125 273bbf LocalAlloc 35118->35125 35119 273c1a 35132 29c5c2 41 API calls 2 library calls 35119->35132 35130 273af0 RaiseException Concurrency::cancel_current_task collate 35121->35130 35122->35116 35122->35118 35122->35121 35124 273bd7 35122->35124 35128 273bdb LocalAlloc 35124->35128 35129 273be8 _Yarn 35124->35129 35125->35119 35127 273bcc 35125->35127 35127->35129 35128->35129 35129->35064 35141 272a36 35133->35141 35134 272afc 35189 273680 42 API calls collate 35134->35189 35135 272a52 _Yarn 35135->35067 35137 272b01 35190 29c5c2 41 API calls 2 library calls 35137->35190 35138 272a77 35140 272af7 35138->35140 35144 272aa9 LocalAlloc 35138->35144 35188 273af0 RaiseException Concurrency::cancel_current_task collate 35140->35188 35141->35134 35141->35135 35141->35138 35141->35140 35143 272ac1 35141->35143 35146 272ac5 LocalAlloc 35143->35146 35149 272ad2 _Yarn 35143->35149 35144->35137 35145 272ab6 35144->35145 35145->35149 35146->35149 35149->35067 35152 27992a ___vcrt_FlsFree 35151->35152 35156 279a92 ___vcrt_FlsFree 35151->35156 35155 279955 35152->35155 35152->35156 35153 297708 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 35154 27916b 35153->35154 35178 279bf0 35154->35178 35157 279972 35155->35157 35158 279bd1 35155->35158 35160 279bdb 35156->35160 35161 279aeb 35156->35161 35173 279a79 35156->35173 35162 273b40 44 API calls 35157->35162 35194 274650 42 API calls 35158->35194 35196 274650 42 API calls 35160->35196 35165 273b40 44 API calls 35161->35165 35166 279996 35162->35166 35163 279bd6 35195 29c5c2 41 API calls 2 library calls 35163->35195 35169 279b0f 35165->35169 35191 279ef0 45 API calls _Yarn 35166->35191 35193 273cc0 42 API calls collate 35169->35193 35172 2799b1 35192 273cc0 42 API calls collate 35172->35192 35173->35153 35175 2799fa 35175->35163 35175->35173 35176 279a6e 35175->35176 35176->35173 35177 279a72 LocalFree 35176->35177 35177->35173 35187 279c6c _Yarn 35178->35187 35179 279183 35179->34965 35180 279e96 35180->35179 35182 279eb0 LocalFree 35180->35182 35181 279ee0 35197 29c5c2 41 API calls 2 library calls 35181->35197 35182->35179 35184 279ee5 35198 274650 42 API calls 35184->35198 35187->35179 35187->35180 35187->35181 35187->35184 35191->35172 35192->35175 35193->35173 35199->35077 35201 275fb7 GetTokenInformation 35200->35201 35202 275fb1 35200->35202 35203 275fe6 35201->35203 35204 275fee CloseHandle 35201->35204 35202->35082 35203->35204 35204->35082 35205->35086 35206->35090 35207->35094 35209 2776d1 35208->35209 35261 272100 35209->35261 35211 2776e9 35212 272100 42 API calls 35211->35212 35213 277700 35212->35213 35277 277db0 35213->35277 35215 277718 35216 277a7b 35215->35216 35217 277747 35215->35217 35297 272750 41 API calls 35215->35297 35303 271910 LocalFree RaiseException Concurrency::cancel_current_task 35216->35303 35294 2a0d39 35217->35294 35220 277a85 GetWindowThreadProcessId 35222 277ae1 35220->35222 35223 277aae GetWindowLongW 35220->35223 35222->35100 35223->35100 35225 277766 35226 272100 42 API calls 35225->35226 35227 27777b 35226->35227 35235 277816 GetWindowsDirectoryW 35227->35235 35245 27784f 35227->35245 35228 2778a4 GetForegroundWindow 35231 2778ad 35228->35231 35229 2778bd ShellExecuteExW 35230 2778ce 35229->35230 35234 2778d7 35229->35234 35300 277c30 6 API calls 35230->35300 35231->35229 35233 277912 35242 2779cb 35233->35242 35243 277938 GetModuleHandleW GetProcAddress GetProcessId AllowSetForegroundWindow 35233->35243 35234->35233 35236 2778ed ShellExecuteExW 35234->35236 35298 271980 69 API calls 35235->35298 35236->35233 35239 277909 35236->35239 35238 277837 35299 271980 69 API calls 35238->35299 35301 277c30 6 API calls 35239->35301 35244 2779f2 35242->35244 35248 2779dc WaitForSingleObject GetExitCodeProcess 35242->35248 35243->35242 35246 277960 35243->35246 35302 277d30 CloseHandle 35244->35302 35245->35228 35245->35231 35246->35242 35247 277969 GetModuleHandleW GetProcAddress 35246->35247 35250 277984 35247->35250 35251 2779c8 35247->35251 35248->35244 35250->35251 35253 277995 Sleep EnumWindows 35250->35253 35251->35242 35252 2779fe 35254 297708 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 35252->35254 35253->35250 35255 2779c1 BringWindowToTop 35253->35255 35256 277a73 35254->35256 35255->35251 35256->35100 35257->35089 35258->35093 35259->35097 35260->35099 35262 27210b 35261->35262 35263 27211a 35262->35263 35264 2721ba 35262->35264 35270 272137 ctype 35262->35270 35263->35211 35266 2721bf HeapAlloc 35264->35266 35265 27215e 35304 29c6b0 14 API calls __Wcscoll 35265->35304 35266->35211 35268 272163 35305 29c5b2 41 API calls collate 35268->35305 35269 27217d _Yarn 35269->35211 35270->35265 35270->35269 35273 27219f 35270->35273 35272 27216e 35272->35211 35273->35269 35306 29c6b0 14 API calls __Wcscoll 35273->35306 35275 2721a8 35307 29c5b2 41 API calls collate 35275->35307 35278 277e1b 35277->35278 35279 277deb 35277->35279 35283 277e2c 35278->35283 35308 272510 56 API calls 35278->35308 35280 272100 42 API calls 35279->35280 35282 277df0 35280->35282 35282->35215 35284 277ed0 35283->35284 35288 277eda 35283->35288 35289 277e7c 35283->35289 35311 271910 LocalFree RaiseException Concurrency::cancel_current_task 35284->35311 35287 277ee9 35312 271910 LocalFree RaiseException Concurrency::cancel_current_task 35288->35312 35290 277ea1 35289->35290 35309 29c6b0 14 API calls __Wcscoll 35289->35309 35290->35215 35292 277e96 35310 29c5b2 41 API calls collate 35292->35310 35313 2a0d50 35294->35313 35297->35217 35298->35238 35299->35245 35300->35234 35301->35233 35302->35252 35303->35220 35304->35268 35305->35272 35306->35275 35307->35269 35308->35283 35309->35292 35310->35290 35311->35288 35312->35287 35318 2a0904 35313->35318 35319 2a091b 35318->35319 35320 2a0922 35318->35320 35326 2a0bc0 35319->35326 35320->35319 35363 2aae3c 41 API calls 3 library calls 35320->35363 35322 2a0943 35364 2ab175 41 API calls __Wcscoll 35322->35364 35324 2a0959 35365 2ab1d3 41 API calls __cftoe 35324->35365 35327 2a0bf0 ___crtCompareStringW 35326->35327 35330 2a0bda 35326->35330 35327->35330 35331 2a0c07 35327->35331 35329 2a0bdf 35367 29c5b2 41 API calls collate 35329->35367 35366 29c6b0 14 API calls __Wcscoll 35330->35366 35333 2a0be9 35331->35333 35368 2ac622 6 API calls 2 library calls 35331->35368 35338 297708 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 35333->35338 35335 2a0c55 35336 2a0c5f 35335->35336 35337 2a0c76 35335->35337 35369 29c6b0 14 API calls __Wcscoll 35336->35369 35340 2a0c7b 35337->35340 35341 2a0c8c 35337->35341 35342 277755 35338->35342 35371 29c6b0 14 API calls __Wcscoll 35340->35371 35345 2a0d0d 35341->35345 35347 2a0cb3 35341->35347 35354 2a0ca0 __alloca_probe_16 35341->35354 35342->35216 35342->35225 35343 2a0c64 35370 29c6b0 14 API calls __Wcscoll 35343->35370 35376 29c6b0 14 API calls __Wcscoll 35345->35376 35372 2ab127 15 API calls 2 library calls 35347->35372 35350 2a0d12 35377 29c6b0 14 API calls __Wcscoll 35350->35377 35352 2a0cb9 35352->35345 35352->35354 35353 2a0cfa 35378 2970ef 14 API calls _Yarn 35353->35378 35354->35345 35356 2a0ccd 35354->35356 35373 2ac622 6 API calls 2 library calls 35356->35373 35358 2a0ce9 35359 2a0cf0 35358->35359 35360 2a0d01 35358->35360 35374 2a0d87 41 API calls 2 library calls 35359->35374 35375 29c6b0 14 API calls __Wcscoll 35360->35375 35363->35322 35364->35324 35365->35319 35366->35329 35367->35333 35368->35335 35369->35343 35370->35333 35371->35329 35372->35352 35373->35358 35374->35353 35375->35353 35376->35350 35377->35353 35378->35333

                                          Executed Functions

                                          Function 00277660 Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 384libraryloadersleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 277660-277728 call 278530 call 272100 * 2 call 277db0 9 27772e-27773d 0->9 10 277a7b-277aac call 271910 GetWindowThreadProcessId 0->10 11 27773f-277747 call 272750 9->11 12 27774a-277760 call 2a0d39 9->12 18 277ae1-277ae8 10->18 19 277aae-277ade GetWindowLongW 10->19 11->12 12->10 21 277766-277796 call 272100 12->21 24 2777a0-2777a4 21->24 25 277798-27779b 21->25 26 277855-2778a2 24->26 27 2777aa-2777af 24->27 25->24 29 2778a4-2778aa GetForegroundWindow 26->29 30 2778ad-2778af 26->30 28 2777b1-2777b7 27->28 31 2777d7-2777d9 28->31 32 2777b9-2777bc 28->32 29->30 33 2778b1-2778bb call 277af0 30->33 34 2778bd-2778cc ShellExecuteExW 30->34 39 2777dc-2777de 31->39 37 2777d3-2777d5 32->37 38 2777be-2777c6 32->38 33->34 35 2778ce-2778d9 call 277c30 34->35 36 2778dc-2778de 34->36 35->36 43 277912-277932 call 277ef0 36->43 44 2778e0-2778e6 36->44 37->39 38->31 45 2777c8-2777d1 38->45 46 277816-277852 GetWindowsDirectoryW call 271980 * 2 39->46 47 2777e0-2777e5 39->47 64 2779cb-2779d0 43->64 65 277938-27795e GetModuleHandleW GetProcAddress GetProcessId AllowSetForegroundWindow 43->65 49 2778ed-277907 ShellExecuteExW 44->49 50 2778e8-2778eb 44->50 45->28 45->37 46->26 53 2777e7-2777ed 47->53 49->43 57 277909-27790d call 277c30 49->57 50->43 50->49 54 2777ef-2777f2 53->54 55 27780d-27780f 53->55 59 2777f4-2777fc 54->59 60 277809-27780b 54->60 61 277812-277814 55->61 57->43 59->55 66 2777fe-277807 59->66 60->61 61->26 61->46 67 2779f2-277a12 call 277d30 64->67 68 2779d2-2779da 64->68 65->64 70 277960-277967 65->70 66->53 66->60 77 277a14-277a17 67->77 78 277a1c-277a2d 67->78 68->67 72 2779dc-2779ec WaitForSingleObject GetExitCodeProcess 68->72 70->64 71 277969-277982 GetModuleHandleW GetProcAddress 70->71 74 277984-27798c 71->74 75 2779c8 71->75 72->67 84 277990-277993 74->84 75->64 77->78 79 277a37-277a4c 78->79 80 277a2f-277a32 78->80 82 277a56-277a7a call 297708 79->82 83 277a4e-277a51 79->83 80->79 83->82 84->75 85 277995-2779bf Sleep EnumWindows 84->85 85->84 87 2779c1-2779c2 BringWindowToTop 85->87 87->75
                                          APIs
                                          • GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 0027781F
                                          • GetForegroundWindow.USER32(?,?), ref: 002778A4
                                          • ShellExecuteExW.SHELL32(?), ref: 002778C1
                                          • ShellExecuteExW.SHELL32(?), ref: 002778FF
                                          • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00277942
                                          • GetProcAddress.KERNEL32(00000000), ref: 00277949
                                          • GetProcessId.KERNELBASE(?,?,?,?), ref: 00277950
                                          • AllowSetForegroundWindow.USER32(00000000), ref: 00277953
                                          • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00277973
                                          • GetProcAddress.KERNEL32(00000000), ref: 0027797A
                                          • Sleep.KERNEL32(00000064,?,?,?), ref: 00277997
                                          • EnumWindows.USER32(00277A90,?), ref: 002779B3
                                          • BringWindowToTop.USER32(?), ref: 002779C2
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 002779DF
                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 002779EC
                                            • Part of subcall function 00277D30: CloseHandle.KERNEL32(?,253C4779,00000010,00000010,?,?), ref: 00277D72
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00277A9C
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00277AB4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Window$HandleProcess$AddressExecuteForegroundModuleProcShellWindows$AllowBringCloseCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
                                          • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
                                          • API String ID: 105430343-986041216
                                          • Opcode ID: 76c8c4d0d73c8f99b1a415a59c0195a88cd409565df8953a825cf3aa74971469
                                          • Instruction ID: 6a2aeaa667413e51dea63254701a7f7d41676a87aa7aeafc557455feb3a0230e
                                          • Opcode Fuzzy Hash: 76c8c4d0d73c8f99b1a415a59c0195a88cd409565df8953a825cf3aa74971469
                                          • Instruction Fuzzy Hash: E1E1A071A1524ADFDB10DFA8C888BEEB7B5FF14310F148269E519EB291EB309911CF60
                                          Function 00281A20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCommandLineW.KERNEL32(253C4779,?,0000FFFF), ref: 00281A4D
                                            • Part of subcall function 00274EC0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 00274EDD
                                          • ExitProcess.KERNEL32 ref: 00281C27
                                            • Part of subcall function 00278790: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0027880D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: AllocCommandCreateExitFileLineLocalProcess
                                          • String ID: Full command line:$yG<%
                                          • API String ID: 1878577176-667157098
                                          • Opcode ID: 7bd59fae60b7701b8176df4f25e729ae312fd94c0ccca7afcd8269915cc3d2c4
                                          • Instruction ID: e0f06cbe7783d031d58bdb4489fa33afbcc34ea8e9dce1771463bae9d010a648
                                          • Opcode Fuzzy Hash: 7bd59fae60b7701b8176df4f25e729ae312fd94c0ccca7afcd8269915cc3d2c4
                                          • Instruction Fuzzy Hash: 1C514F35821128DACB25FB60CC59BEEB775AF50304F1481D9E009672A2EF741F69CF92
                                          Function 00275F90 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 147 275f90-275faf GetCurrentProcess OpenProcessToken 148 275fb7-275fe4 GetTokenInformation 147->148 149 275fb1-275fb6 147->149 150 275fe6-275feb 148->150 151 275fee-275ffe CloseHandle 148->151 150->151
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000008,?,253C4779), ref: 00275FA0
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00275FA7
                                          • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00275FDC
                                          • CloseHandle.KERNEL32(?), ref: 00275FF2
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                          • String ID:
                                          • API String ID: 215268677-0
                                          • Opcode ID: 62cba0a05c0d5cf391dbc66464a0b8158ef38a5ae5ffb61cb00b32e54aa14019
                                          • Instruction ID: 01a5820e623bc05a5bc3a2ad772ab20ab8b065a4e1a7456ea139cadeb8b7e88f
                                          • Opcode Fuzzy Hash: 62cba0a05c0d5cf391dbc66464a0b8158ef38a5ae5ffb61cb00b32e54aa14019
                                          • Instruction Fuzzy Hash: D8F03674144301AFE710AF20FC49BAAB7E8FB44704F548919FD84C2160E379D55DDA63
                                          Function 00277FD0 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 152 277fd0-27804c GetTokenInformation 153 2780b0-2780c3 152->153 154 27804e-278057 GetLastError 152->154 154->153 155 278059-278067 154->155 156 27806e 155->156 157 278069-27806c 155->157 159 278070-278077 156->159 160 27809e-2780aa GetTokenInformation 156->160 158 27809b 157->158 158->160 161 278087-278098 call 298e90 159->161 162 278079-278085 call 278260 159->162 160->153 161->158 162->160
                                          APIs
                                          • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00277FA8,253C4779), ref: 00278044
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00277FA8,253C4779), ref: 0027804E
                                          • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00277FA8,253C4779), ref: 002780AA
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: InformationToken$ErrorLast
                                          • String ID:
                                          • API String ID: 2567405617-0
                                          • Opcode ID: 8fe95e9db38337527ad7155470fe53b7e323c2ad82f18351634ca64ac8ee9496
                                          • Instruction ID: bb10ed571e123863158c6bc92597bff9b0625bad6894d762337a679b28340b9e
                                          • Opcode Fuzzy Hash: 8fe95e9db38337527ad7155470fe53b7e323c2ad82f18351634ca64ac8ee9496
                                          • Instruction Fuzzy Hash: 46317371A50215AFDB20CF59CC49BAFFBF9FB44710F10852DF519A7280DBB569148B90
                                          Function 002AC72B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 167 2ac72b-2ac736 168 2ac738-2ac742 167->168 169 2ac744-2ac74a 167->169 168->169 170 2ac778-2ac783 call 29c6b0 168->170 171 2ac74c-2ac74d 169->171 172 2ac763-2ac774 RtlAllocateHeap 169->172 177 2ac785-2ac787 170->177 171->172 173 2ac74f-2ac756 call 2aa8b7 172->173 174 2ac776 172->174 173->170 180 2ac758-2ac761 call 2b15f6 173->180 174->177 180->170 180->172
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000008,?,?,?,002AAFDA,00000001,00000364,?,00000006,000000FF,?,0029C282,?,?,?), ref: 002AC76C
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 5ac9c0a12a07a875f615bb9cd9f38852f6eac20f8ecc5a0b7390a61e922f15bb
                                          • Instruction ID: a84575d245ddbe95a5c8beda107e55e4ba104b8fc7721acc6b0f32117d696544
                                          • Opcode Fuzzy Hash: 5ac9c0a12a07a875f615bb9cd9f38852f6eac20f8ecc5a0b7390a61e922f15bb
                                          • Instruction Fuzzy Hash: CDF0E931535225ABEB212E2A9C45B6BB78C9F53770B344221AD04A6180DF70DC31CEE1

                                          Non-executed Functions

                                          Function 00276EE0 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 519comCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 356 276ee0-276f31 call 275f90 359 276f55-276f8d CoInitialize CoCreateInstance 356->359 360 276f33-276f50 call 277660 356->360 361 276f8f-276f93 359->361 362 276f98-276fe6 VariantInit 359->362 366 2774ff-277519 call 297708 360->366 365 2774d8-2774e1 361->365 370 276ff1-277015 IUnknown_QueryService 362->370 371 276fe8-276fec 362->371 368 2774e3-2774e5 365->368 369 2774e9-2774f4 365->369 368->369 372 2774f6 CoUninitialize 369->372 373 2774fc 369->373 376 277017-27701b 370->376 377 277020-27703a 370->377 375 2774ba-2774c3 371->375 372->373 373->366 379 2774c5-2774c7 375->379 380 2774cb-2774d6 VariantClear 375->380 381 2774a9-2774b2 376->381 384 277045-277066 377->384 385 27703c-277040 377->385 379->380 380->365 381->375 382 2774b4-2774b6 381->382 382->375 389 277071-27708f 384->389 390 277068-27706c 384->390 386 277498-2774a1 385->386 386->381 387 2774a3-2774a5 386->387 387->381 394 277091-277095 389->394 395 27709a-2770b4 389->395 391 277487-277490 390->391 391->386 393 277492-277494 391->393 393->386 396 277476-27747f 394->396 399 2770b6-2770ba 395->399 400 2770bf-2770dd 395->400 396->391 397 277481-277483 396->397 397->391 401 277465-27746e 399->401 404 2770df-2770e3 400->404 405 2770e8-277100 CoAllowSetForegroundWindow 400->405 401->396 402 277470-277472 401->402 402->396 406 277454-27745d 404->406 407 277102-277104 405->407 408 277168-277175 SysAllocString 405->408 406->401 409 27745f-277461 406->409 412 27710a-27712d SysAllocString 407->412 410 27717b 408->410 411 277529-277571 call 271910 408->411 409->401 410->412 422 277573-277575 411->422 423 277579-277587 411->423 413 27712f-277132 412->413 414 277138-27715b SysAllocString 412->414 413->414 416 27751f-277524 call 281cb0 413->416 417 27717d-2771ff VariantInit 414->417 418 27715d-277160 414->418 416->411 425 277201-277205 417->425 426 27720a-27720e 417->426 418->416 421 277166 418->421 421->417 422->423 427 27740f-27744e VariantClear * 4 SysFreeString 425->427 428 277214 426->428 429 27740b 426->429 427->406 430 277216-277238 428->430 429->427 431 277240-277249 430->431 431->431 432 27724b-2772c5 call 273b40 call 2740a0 call 2761d0 call 273cc0 431->432 441 2772c7-2772d8 432->441 442 2772f6-277315 432->442 443 2772eb-2772ed 441->443 444 2772da-2772e5 441->444 445 277317-27731b 442->445 446 27731d 442->446 443->442 448 2772ef-2772f0 LocalFree 443->448 444->443 447 27751a call 29c5c2 444->447 449 277324-277326 445->449 446->449 447->416 448->442 451 2773a5-2773b5 449->451 452 277328-277332 449->452 455 2773b7-2773c6 451->455 456 2773fc-277405 451->456 453 277344-277378 OpenProcess WaitForSingleObject 452->453 454 277334-277342 call 276a60 452->454 458 277382-277392 453->458 459 27737a-27737c GetExitCodeProcess 453->459 454->453 460 2773d9-2773db 455->460 461 2773c8-2773d3 455->461 456->429 456->430 458->451 463 277394-27739b CloseHandle 458->463 459->458 464 2773e4-2773f5 460->464 465 2773dd-2773de LocalFree 460->465 461->447 461->460 463->451 464->456 465->464
                                          APIs
                                            • Part of subcall function 00275F90: GetCurrentProcess.KERNEL32(00000008,?,253C4779), ref: 00275FA0
                                            • Part of subcall function 00275F90: OpenProcessToken.ADVAPI32(00000000), ref: 00275FA7
                                          • CoInitialize.OLE32(00000000), ref: 00276F55
                                          • CoCreateInstance.OLE32(002BD310,00000000,00000004,002CB320,00000000,?), ref: 00276F85
                                          • CoUninitialize.OLE32 ref: 002774F6
                                          • _com_issue_error.COMSUPP ref: 00277524
                                            • Part of subcall function 00271910: LocalFree.KERNEL32(?,253C4779,?,00000000,002B92C0,000000FF,?,?,002D1348,00000000,002716D0,80004005), ref: 0027195C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
                                          • String ID: $
                                          • API String ID: 2507920217-3993045852
                                          • Opcode ID: eb51e18b6cace3b45a2614a363fd5163462bc29242ab26e96c001a0a322bfde8
                                          • Instruction ID: 221a92f53a4a5159215f9d5c43f0a824f94274f3814bbb5cee0c4da2d0c49d4d
                                          • Opcode Fuzzy Hash: eb51e18b6cace3b45a2614a363fd5163462bc29242ab26e96c001a0a322bfde8
                                          • Instruction Fuzzy Hash: 2F22AF70E18389DFEF11CFA8C948BADBBB8AF45304F14819DE809EB291D7759A45CB11
                                          Function 0027D060 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: _swprintf$FreeLocal
                                          • String ID: %$+
                                          • API String ID: 2429749586-2626897407
                                          • Opcode ID: 00b9f24aea6c72b55246a4c97fe1e6b7c2b39dfa31c2e37b2cd3df9903cf7170
                                          • Instruction ID: e6ddb4d835cfda144176c6da5b3d9e9023d9b0d168ea800fa5d082be0da7fadd
                                          • Opcode Fuzzy Hash: 00b9f24aea6c72b55246a4c97fe1e6b7c2b39dfa31c2e37b2cd3df9903cf7170
                                          • Instruction Fuzzy Hash: 4502E171E202199FDF15CF68DC54BAEBBB5FF49300F148629F809AB281D734A951CBA1
                                          Function 00280E90 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 002812C4
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,002D57C0,00000800), ref: 002812E1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: OpenQueryValue
                                          • String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
                                          • API String ID: 4153817207-1914306501
                                          • Opcode ID: 309fb519b00264478cf952bcc646ddf87e5267efa152a38e2dbfb49933cf77de
                                          • Instruction ID: 54691945e469216c06495286f9245bc66f16b631d07ec198c9a1a2e135b1179f
                                          • Opcode Fuzzy Hash: 309fb519b00264478cf952bcc646ddf87e5267efa152a38e2dbfb49933cf77de
                                          • Instruction Fuzzy Hash: 59E1322CA223638ADB34BF14C881676B3E5EF94740F5981A9DC458B6C5EB718CB7C391
                                          Function 002761D0 Relevance: 10.7, APIs: 7, Instructions: 234processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00276242
                                          • CloseHandle.KERNEL32(00000000), ref: 00276285
                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 002762E1
                                          • OpenProcess.KERNEL32(00000410,00000000,?), ref: 002762FD
                                          • CloseHandle.KERNEL32(00000000), ref: 00276445
                                          • Process32NextW.KERNEL32(?,0000022C), ref: 00276463
                                          • CloseHandle.KERNEL32(00000000), ref: 0027648E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 708755948-0
                                          • Opcode ID: e42a2e59e4c0c56c25b8ae3db5ca5c57420d02d9016e6bcacd93c6407f37299d
                                          • Instruction ID: 21a6dc85da2da485c86d9366e9c0ea1f2a5470e23e2b7881c0d941f6a2acd3fa
                                          • Opcode Fuzzy Hash: e42a2e59e4c0c56c25b8ae3db5ca5c57420d02d9016e6bcacd93c6407f37299d
                                          • Instruction Fuzzy Hash: 00A16B70916669DBDB20DF64D84CBDEBBB4AF44304F1482D9E81DA7280D7B45A98CF90
                                          Function 002B4609 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: __floor_pentium4
                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                          • API String ID: 4168288129-2761157908
                                          • Opcode ID: 8bab747c38bd766ab04070fefd0d3526c1c3de73787e8626fc5d29b52f4ded2a
                                          • Instruction ID: c9187a876e549e342f35147410d8764163087ed21422b2cf00ff3e59a65d538f
                                          • Opcode Fuzzy Hash: 8bab747c38bd766ab04070fefd0d3526c1c3de73787e8626fc5d29b52f4ded2a
                                          • Instruction Fuzzy Hash: 4BD25B71E286298FDB65DF28CC807EAB7B9EB45344F1441EAD40DE7241EB74AE918F40
                                          Function 002B3BA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(?,2000000B,002B3EC1,00000002,00000000,?,?,?,002B3EC1,?,00000000), ref: 002B3C3C
                                          • GetLocaleInfoW.KERNEL32(?,20001004,002B3EC1,00000002,00000000,?,?,?,002B3EC1,?,00000000), ref: 002B3C65
                                          • GetACP.KERNEL32(?,?,002B3EC1,?,00000000), ref: 002B3C7A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: 24e53dc1cc7da7fdd67562d9b246ca7736dc3f50fcf9831e3534870f5c8c7aac
                                          • Instruction ID: 3357c7acb11d722a27db5818ffaf6d9b4dc6c9c9922bc0da1c7455218e3834e8
                                          • Opcode Fuzzy Hash: 24e53dc1cc7da7fdd67562d9b246ca7736dc3f50fcf9831e3534870f5c8c7aac
                                          • Instruction Fuzzy Hash: E321A432630102AADB34CF99C901AE7BBA6FB50F94B568529E84AE7114E732EF50C350
                                          Function 002B3D78 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002AAE3C: GetLastError.KERNEL32(?,00000008,002B03BC), ref: 002AAE40
                                            • Part of subcall function 002AAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 002AAEE2
                                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 002B3E84
                                          • IsValidCodePage.KERNEL32(00000000), ref: 002B3ECD
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 002B3EDC
                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002B3F24
                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002B3F43
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                          • String ID:
                                          • API String ID: 415426439-0
                                          • Opcode ID: ea8e8a0fd941aec39ef683bd89e7cd8ba5a41c02958053f807d75360ea8b37fc
                                          • Instruction ID: 64c580cfbe40cdcd57e762f6e7675562c28d7a0bae50aad50bedbab16dde1c10
                                          • Opcode Fuzzy Hash: ea8e8a0fd941aec39ef683bd89e7cd8ba5a41c02958053f807d75360ea8b37fc
                                          • Instruction Fuzzy Hash: 29518072A20206ABDF10DFA5DC45AFA77B8AF48740F14456AE504E7191EBB0DA64CB60
                                          Function 002B3414 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002AAE3C: GetLastError.KERNEL32(?,00000008,002B03BC), ref: 002AAE40
                                            • Part of subcall function 002AAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 002AAEE2
                                          • GetACP.KERNEL32(?,?,?,?,?,?,002A994B,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002B34D5
                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,002A994B,?,?,?,00000055,?,-00000050,?,?), ref: 002B3500
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 002B3663
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CodeInfoLocalePageValid
                                          • String ID: utf8
                                          • API String ID: 607553120-905460609
                                          • Opcode ID: 4cf320a1891290cd3f7c5eb548802575eda7b6700b48e7bd2ca85e65eb5616f9
                                          • Instruction ID: d4934478e61c96a665c6dad49df1f4ac78b4dc4ea634db9eb8c49855f1182979
                                          • Opcode Fuzzy Hash: 4cf320a1891290cd3f7c5eb548802575eda7b6700b48e7bd2ca85e65eb5616f9
                                          • Instruction Fuzzy Hash: 4771F271620306AADB25EF74CC86BEA73A8EF49780F544429F545D7181FB70EE64CB60
                                          Function 00271D70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadResource.KERNEL32(00000000,00000000,253C4779,00000001,00000000,?,00000000,002B9360,000000FF,?,00271D1C,00000010,?,?,?,-00000010), ref: 00271D9B
                                          • LockResource.KERNEL32(00000000,?,00271D1C,00000010,?,?,?,-00000010,002B9340,000000FF,?,0027202C,?,00000000,002B938D,000000FF), ref: 00271DA6
                                          • SizeofResource.KERNEL32(00000000,00000000,?,00271D1C,00000010,?,?,?,-00000010,002B9340,000000FF,?,0027202C,?,00000000,002B938D), ref: 00271DB4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Resource$LoadLockSizeof
                                          • String ID: @"vpD$v
                                          • API String ID: 2853612939-3189754618
                                          • Opcode ID: ead6d0715c5436e77d85f4d0d5693db79966cc491e0baa1abe174b27407c544d
                                          • Instruction ID: f8f67c4f224a63e010d7d5c88fd38f4ade6f816a8d52df6a4930a8ad326f9118
                                          • Opcode Fuzzy Hash: ead6d0715c5436e77d85f4d0d5693db79966cc491e0baa1abe174b27407c544d
                                          • Instruction Fuzzy Hash: 5E11E732A146559BC7349F1DEC45BB6F7ECEB86711F008A2BEC1AD3240E635AC108A90
                                          Function 00282161 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,00273270,?), ref: 00282176
                                          • FormatMessageA.KERNEL32(00001300,00000000,yG<%,00000000,00000000,00000000,00000000,?,?,?,00273270,?), ref: 00282198
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: FormatInfoLocaleMessage
                                          • String ID: !x-sys-default-locale$yG<%
                                          • API String ID: 4235545615-1672714183
                                          • Opcode ID: 53b1b1f0f0cd96818dca0ea0313247687d4af4e2d0085a655540afbb88dcf8ff
                                          • Instruction ID: 32043384e4dea1a2ba82190a337a4221c5fd8081f562618105f4d56feed5a51f
                                          • Opcode Fuzzy Hash: 53b1b1f0f0cd96818dca0ea0313247687d4af4e2d0085a655540afbb88dcf8ff
                                          • Instruction Fuzzy Hash: FCE039B6160118BEEB04AFA4DC0FDEA7A6DEB05790F104114BA06E2180E2B06E008BA0
                                          Function 002AB336 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: _strrchr
                                          • String ID:
                                          • API String ID: 3213747228-0
                                          • Opcode ID: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                          • Instruction ID: e061b6ea1b6f6551abeb5655fb277610eacef32fc76ad4d7b124cf7486d309a4
                                          • Opcode Fuzzy Hash: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                          • Instruction Fuzzy Hash: 8FB16A72D202469FDB12CF68C8917FEBBA5EF5A300F14816AE505AB243DB759D21CB60
                                          Function 002983BD Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002983C9
                                          • IsDebuggerPresent.KERNEL32 ref: 00298495
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002984B5
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 002984BF
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                          • String ID:
                                          • API String ID: 254469556-0
                                          • Opcode ID: d54835d5542953a0ca5703d5a06f5e94ab80e7d768739974df17de555d2d4e8e
                                          • Instruction ID: e2993a6a37130c59b4ad9588301f8d085f9d4be68b8fcc4b529f555fe3aa4789
                                          • Opcode Fuzzy Hash: d54835d5542953a0ca5703d5a06f5e94ab80e7d768739974df17de555d2d4e8e
                                          • Instruction Fuzzy Hash: E03129B5D1121D9BDF10EFA4D989BCDBBF8AF09300F1041AAE40DAB250EB719A848F44
                                          Function 002B3827 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002AAE3C: GetLastError.KERNEL32(?,00000008,002B03BC), ref: 002AAE40
                                            • Part of subcall function 002AAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 002AAEE2
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002B387B
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002B38C5
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002B398B
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: InfoLocale$ErrorLast
                                          • String ID:
                                          • API String ID: 661929714-0
                                          • Opcode ID: 4fa6a83324969651e7f92c7c3e5ed11af168c68ad554f6c81c954cafce495521
                                          • Instruction ID: e5c3ec250f82c1f448d58da2b6630fb488dd93df291926eb22a55363cd0ed0c1
                                          • Opcode Fuzzy Hash: 4fa6a83324969651e7f92c7c3e5ed11af168c68ad554f6c81c954cafce495521
                                          • Instruction Fuzzy Hash: D361C4729606079FDB24DF28CC82BFAB7A8FF04350F144179E905C6186E775EAA5CB50
                                          Function 0029C3B6 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0029C4AE
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0029C4B8
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0029C4C5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: dab265479529673a0f66ba62e36160cc6b3c7b17efe0524f8f73aea87a03cb7c
                                          • Instruction ID: 13d9b188ab9a6ebf29e400cded763c2e49a5eb71a1dbb76fb46bed35bd3451a8
                                          • Opcode Fuzzy Hash: dab265479529673a0f66ba62e36160cc6b3c7b17efe0524f8f73aea87a03cb7c
                                          • Instruction Fuzzy Hash: CD31A4B59112199BCF21DF68D8897DDBBB4BF08310F6041EAE41CA7251EB709F958F44
                                          Function 002A38A0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 55ed78c7c429dff4e87f4ebae4af2bdfb9d68bf7abf48bfa11f875b6aae70124
                                          • Instruction ID: 66c8ec1f52d247168668b3ee3a72ab1bff1722f1a747c0f622ebc7121a9fbd42
                                          • Opcode Fuzzy Hash: 55ed78c7c429dff4e87f4ebae4af2bdfb9d68bf7abf48bfa11f875b6aae70124
                                          • Instruction Fuzzy Hash: 3DF12F71E1061A9FDF14CF69C8806ADF7B2FF49324F15826AE815A7381DB309E158F90
                                          Function 002AD192 Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,002AD5D7,00000000,00000000,00000000), ref: 002AD496
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: InformationTimeZone
                                          • String ID:
                                          • API String ID: 565725191-0
                                          • Opcode ID: 905187ea201b38847101471110672595928573ad425af2bd74448cca3c4f38c5
                                          • Instruction ID: 90da079dc0f0503b5aa72f754adadedadbced7fd91f2b4968c128acdeba9ca41
                                          • Opcode Fuzzy Hash: 905187ea201b38847101471110672595928573ad425af2bd74448cca3c4f38c5
                                          • Instruction Fuzzy Hash: D7C12771D20226ABCF20AF64DC02ABE77B9EF06710F944056F906E7591EF709E61CB90
                                          Function 002ADB30 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002ADB2B,?,?,00000008,?,?,002B6AD4,00000000), ref: 002ADD5D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise
                                          • String ID:
                                          • API String ID: 3997070919-0
                                          • Opcode ID: 3daf7d40aea1742869f27e63d94ef15ef3f88e5de2032c386a0710de46920f6f
                                          • Instruction ID: 0ac684c4afacac3da0514046d800e6fd872ed452653a7e5b7e0455c04b87e847
                                          • Opcode Fuzzy Hash: 3daf7d40aea1742869f27e63d94ef15ef3f88e5de2032c386a0710de46920f6f
                                          • Instruction Fuzzy Hash: F1B18F32220609CFD715CF28C486B647BE1FF06364F658659E8DACF6A1C735E9A2CB40
                                          Function 0029801C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00298032
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: FeaturePresentProcessor
                                          • String ID:
                                          • API String ID: 2325560087-0
                                          • Opcode ID: 57144ef2b17ef3ff018613bc350e68834e629c3b43afeaf20c9e05d54fc92217
                                          • Instruction ID: 1f45bbaa888e2ea209dee496cb1bd7da5d9f1030999989335e95fed03338527e
                                          • Opcode Fuzzy Hash: 57144ef2b17ef3ff018613bc350e68834e629c3b43afeaf20c9e05d54fc92217
                                          • Instruction Fuzzy Hash: 8C517AB2E21216DBEF14CF65E8996AEBBF0FB49301F18842AC405EB251D7B59E10CF50
                                          Function 002B05E9 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9bc54d201adb0b6405edc951a98c9c99be7a0f2e2f0d7ce4f076fd897ce2176d
                                          • Instruction ID: 91ce8c1f6e6299e107868003ea71dca169ced066c507704bb1b371151773f742
                                          • Opcode Fuzzy Hash: 9bc54d201adb0b6405edc951a98c9c99be7a0f2e2f0d7ce4f076fd897ce2176d
                                          • Instruction Fuzzy Hash: EA31D076910219AFDB24DFB8CCC9DEBB76DEB84390F144299F90597244EA30EE508F50
                                          Function 0029F700 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: c592d0bbb3665b0973d54a05bbab64934b60cee1fe2f969d4e85de7f56323b67
                                          • Instruction ID: f4ea71efe0f65db71f4198c687199564ef7e354aa76e0fd4e3e52ad2779db8f5
                                          • Opcode Fuzzy Hash: c592d0bbb3665b0973d54a05bbab64934b60cee1fe2f969d4e85de7f56323b67
                                          • Instruction Fuzzy Hash: A1C1DE30A206078FDFE4CF68C680ABAB7A1BF05314F244639D45ADB691D770AD65CB51
                                          Function 002B3A7A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002AAE3C: GetLastError.KERNEL32(?,00000008,002B03BC), ref: 002AAE40
                                            • Part of subcall function 002AAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 002AAEE2
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002B3ACE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale
                                          • String ID:
                                          • API String ID: 3736152602-0
                                          • Opcode ID: aba97d27c9cb3a4fbb0a54f6ef0f478a06130a6df921403be0f8938b5e3da9e8
                                          • Instruction ID: 2aac0fcf32c30da5d2a67d62ff84ac17cd405e821e949e42b30bc9d32c82bb27
                                          • Opcode Fuzzy Hash: aba97d27c9cb3a4fbb0a54f6ef0f478a06130a6df921403be0f8938b5e3da9e8
                                          • Instruction Fuzzy Hash: 74210132631246ABDF28EF29DC42EFA73A8EF04354B1040BAF901C6141EB74EE24CB50
                                          Function 002B3701 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002AAE3C: GetLastError.KERNEL32(?,00000008,002B03BC), ref: 002AAE40
                                            • Part of subcall function 002AAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 002AAEE2
                                          • EnumSystemLocalesW.KERNEL32(002B3827,00000001,00000000,?,-00000050,?,002B3E58,00000000,?,?,?,00000055,?), ref: 002B3773
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: b73a4e3a25f7d317312023abf4d3a40e9da5cb6bc7d9fcc8b15cc649a54d42b6
                                          • Instruction ID: 03ea3c0e28e4017033497687ae5ef7459a8e3987c9724e560bec2b93915fefbf
                                          • Opcode Fuzzy Hash: b73a4e3a25f7d317312023abf4d3a40e9da5cb6bc7d9fcc8b15cc649a54d42b6
                                          • Instruction Fuzzy Hash: E111297B2107015FDB18DF39C8915BAB791FF84358B14452CE58687A40DB71B953DB40
                                          Function 002B3CA9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002AAE3C: GetLastError.KERNEL32(?,00000008,002B03BC), ref: 002AAE40
                                            • Part of subcall function 002AAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 002AAEE2
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,002B3A43,00000000,00000000,?), ref: 002B3CD5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale
                                          • String ID:
                                          • API String ID: 3736152602-0
                                          • Opcode ID: 3761c6c5314f3400a58c79747645b2102ed880d527013721eefb42e0ab79b0ff
                                          • Instruction ID: 929f4a2dc7be110f8860aeea9f3cdf6ada577c7fa94b01896aa0fd59e8c05808
                                          • Opcode Fuzzy Hash: 3761c6c5314f3400a58c79747645b2102ed880d527013721eefb42e0ab79b0ff
                                          • Instruction Fuzzy Hash: 76F0A9366605177BDB24DA65CC06BFA7B64EB40794F154425EC06A3180EE74FF52C690
                                          Function 002B379C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002AAE3C: GetLastError.KERNEL32(?,00000008,002B03BC), ref: 002AAE40
                                            • Part of subcall function 002AAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 002AAEE2
                                          • EnumSystemLocalesW.KERNEL32(002B3A7A,00000001,?,?,-00000050,?,002B3E1C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 002B37E6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: 1ea4dfbf25514c64476678582247828b430e4e16d101ae01a8d890272864fcbc
                                          • Instruction ID: f9acc62530cd530dc5be401bda6bf6fcb49e42f9ab7f8dd66e27ea6b7a6e1a28
                                          • Opcode Fuzzy Hash: 1ea4dfbf25514c64476678582247828b430e4e16d101ae01a8d890272864fcbc
                                          • Instruction Fuzzy Hash: 5CF046B63103056FCB14DF38D8C5ABABB90FF803A8F04402CF9458BA80DA71AD02DA10
                                          Function 002AC7A2 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002A72CA: EnterCriticalSection.KERNEL32(?,?,002B163A,00000000,002D11A8,0000000C,002B1601,?,?,002AC75E,?,?,002AAFDA,00000001,00000364,?), ref: 002A72D9
                                          • EnumSystemLocalesW.KERNEL32(002AC795,00000001,002D10C8,0000000C,002ACBC4,00000000), ref: 002AC7DA
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                          • String ID:
                                          • API String ID: 1272433827-0
                                          • Opcode ID: a9e5723c94a8344e952242b849cdefbf9830035f7dea350e0cb2c052e9e60cc4
                                          • Instruction ID: 405eed0aeec3c95fc92569a95340ad458e4d9f9fd4ff4af3406184d46e8ee002
                                          • Opcode Fuzzy Hash: a9e5723c94a8344e952242b849cdefbf9830035f7dea350e0cb2c052e9e60cc4
                                          • Instruction Fuzzy Hash: 31F03C36A10214DFD700EF58E846B9D77F0FB0A721F20415BF8149B290EB7559548F40
                                          Function 002971C1 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00294EEC,00000000,002CB6C9,00000004,00293D92,002CB6C9,00000004,002941A5,00000000,00000000), ref: 002971DA
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: 2d6f8d293f492b416f6020d6e889569ff8a5899495679d85bb25c2eb8420ec44
                                          • Instruction ID: 98e5b1456a8533be0c07c955e6208fc12d1880bf54ee6e22e76a30c1dcf3c9e3
                                          • Opcode Fuzzy Hash: 2d6f8d293f492b416f6020d6e889569ff8a5899495679d85bb25c2eb8420ec44
                                          • Instruction Fuzzy Hash: A0E0D8726B8205B7DB199FBC9D1FF6A37E8D70170AF504251F502D50C5DAA0CA10D261
                                          Function 002B36B6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 002AAE3C: GetLastError.KERNEL32(?,00000008,002B03BC), ref: 002AAE40
                                            • Part of subcall function 002AAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 002AAEE2
                                          • EnumSystemLocalesW.KERNEL32(002B360F,00000001,?,?,?,002B3E7A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002B36ED
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: 4a00f7d0c4f1ef6a3f3ac51e0806e73963b78b7482d92ee9e899a65bbd270ab4
                                          • Instruction ID: 8ac2639173a715b732e0df7aa7390e63bee07aef5a99c964d0da855fb461188f
                                          • Opcode Fuzzy Hash: 4a00f7d0c4f1ef6a3f3ac51e0806e73963b78b7482d92ee9e899a65bbd270ab4
                                          • Instruction Fuzzy Hash: 85F02B3631024A67CB04EF39D846AAA7F98EFC2750B474068EA09CB350D671ED53C754
                                          Function 002ACD1F Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,002AA4B1,?,20001004,00000000,00000002,?,?,002A9AB3), ref: 002ACD53
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: 14a574689a1d31e34d3678d9cd4ac53c7c73144d1cfcab28316b6031de8ca648
                                          • Instruction ID: fddd4b5ce9d2239c8157ef42ebdfb649d231c3e523fbdef867882207cb913f1d
                                          • Opcode Fuzzy Hash: 14a574689a1d31e34d3678d9cd4ac53c7c73144d1cfcab28316b6031de8ca648
                                          • Instruction Fuzzy Hash: A5E04F3955061CBBCF122F64EC08A9E7F16EF45750F204121FD1566261DF729D31AAD0
                                          Function 00298553 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0002855F,00297E51), ref: 00298558
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 0c98fdd89988bb2506741e47b309b905f5cf95df17d608d9a3f36555125f7407
                                          • Instruction ID: 9f67f0e5fe9fdb7f3a7c524aea6a8d8a2d168d453a0665d523bd5cf17a1412fa
                                          • Opcode Fuzzy Hash: 0c98fdd89988bb2506741e47b309b905f5cf95df17d608d9a3f36555125f7407
                                          • Instruction Fuzzy Hash:
                                          Function 002B1533 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: HeapProcess
                                          • String ID:
                                          • API String ID: 54951025-0
                                          • Opcode ID: 0c08c933929ce60adb3d93642ee76d788f77e7c71f85ee3031d0c0e80e3accfd
                                          • Instruction ID: 605af78fd221d6db10dc927a5ff6c08a753f574446830bb50225df24fbc877f9
                                          • Opcode Fuzzy Hash: 0c08c933929ce60adb3d93642ee76d788f77e7c71f85ee3031d0c0e80e3accfd
                                          • Instruction Fuzzy Hash: FCA001B0A126118BA7808F7ABA0D24E3BADAA45695745C26AA409C6261EA68C8509F41
                                          Function 002A6078 Relevance: .7, Instructions: 655COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: AllocHeap
                                          • String ID:
                                          • API String ID: 4292702814-0
                                          • Opcode ID: be38b7a26d08611aa2ea31345a83c278132bfa6209997761a86c1b4acfd6cd2c
                                          • Instruction ID: f48cf5fb89e5b36dfbb0ea3d1e9f6cb81ce92e0d296b318c3d6b0a08dc12c1a6
                                          • Opcode Fuzzy Hash: be38b7a26d08611aa2ea31345a83c278132bfa6209997761a86c1b4acfd6cd2c
                                          • Instruction Fuzzy Hash: 17328F74A1020ADFCF24CF98C995ABEBBB5EF46304F18416DD845A7305DB32AE56CB90
                                          Function 002AE919 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dbce408b4e9c2c7cae761d73f502578c5c25abc4d9d9b2ae79f87e4d74c923f3
                                          • Instruction ID: bb1a40afddabdb12aa3336b4966c0eec346b5efd7ee557a399487bddf9c7cfd9
                                          • Opcode Fuzzy Hash: dbce408b4e9c2c7cae761d73f502578c5c25abc4d9d9b2ae79f87e4d74c923f3
                                          • Instruction Fuzzy Hash: 34322421D39F414EDB639634D926335A28DAFB73C4F15D737E81AB59AAEF29C4834100
                                          Function 0029FA8E Relevance: .4, Instructions: 388COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b45c0bed8e364ccfd159c3a461c8c34301d03ec756e5ca037a916d51e919f937
                                          • Instruction ID: b5f377c195e791fc3efb698f177b7e95c2c33e677915cbd56dca1dfa73f5cbad
                                          • Opcode Fuzzy Hash: b45c0bed8e364ccfd159c3a461c8c34301d03ec756e5ca037a916d51e919f937
                                          • Instruction Fuzzy Hash: 3DE1B2706206068FCFE4CF58C6906AEB3F1FF49314B24856DD49ADB291D770AD62CB51
                                          Function 002B2EC5 Relevance: .3, Instructions: 327COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                          • String ID:
                                          • API String ID: 3471368781-0
                                          • Opcode ID: 7707a2989aaffb735bf49bab02860ffd607a47bc566442ab39621a45732c814b
                                          • Instruction ID: 880aa93406257b0413a3c159d208bda4e35eed5f38ac2fd85075137472279397
                                          • Opcode Fuzzy Hash: 7707a2989aaffb735bf49bab02860ffd607a47bc566442ab39621a45732c814b
                                          • Instruction Fuzzy Hash: D4B118755207469BCB34DF28CC82BF7B3A8EF44348F54496DEA47C6680EA71EA95CB10
                                          Function 002A18EF Relevance: .2, Instructions: 158COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 241b6fb9a289495fc9e6c92dd56fb41bf9160e20364eef422bda7a05c9cbced3
                                          • Instruction ID: 958ae7a273be479a0a1c813842dcf2d0daa58a46821f118624a92d9a030ff264
                                          • Opcode Fuzzy Hash: 241b6fb9a289495fc9e6c92dd56fb41bf9160e20364eef422bda7a05c9cbced3
                                          • Instruction Fuzzy Hash: 8B517371E1011AEFDF04CF99C991AEEBBB6EF89310F198059E515AB201C734AE60CB50
                                          Function 00299730 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction ID: e0ca183d17aaa4c43716c8806d6121cb63d43c0e33e1f0e50453bdda37debe05
                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction Fuzzy Hash: 2E11B9FB23014343EE148EAED8F4AF6E795EAC5331B2D436DD0424B758E92299E59500
                                          Function 002B03E8 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                          • Instruction ID: 730a4692ee61b33d8bd79724fbecc0532bb41ff0f69d29f5ea7949048443771e
                                          • Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                          • Instruction Fuzzy Hash: E9E04632921228EBCB15DB98894498AB6BCEB49B40B1144AAB601E3121C270DE40CBD0
                                          Function 002A843F Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
                                          • Instruction ID: 0932579f27daa9dbcb46ea943c917edb05a1a9b62c8f3c38ef465bf45227a901
                                          • Opcode Fuzzy Hash: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
                                          • Instruction Fuzzy Hash: C2C08C34020A0287CE3EAE1082B13AD33D4B3967C2F8009CCC41A0BA42CD1F9C92DA50
                                          Function 00278790 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 466 278790-2787f6 call 275880 call 279620 471 2787fa-278827 CreateFileW call 273cc0 466->471 472 2787f8 466->472 475 278830-27884c 471->475 476 278829-27882b 471->476 472->471 478 27884e-278851 475->478 479 278898-2788ab 475->479 477 278b5f-278b92 call 273cc0 call 297708 476->477 478->479 482 278853-27886a WideCharToMultiByte 478->482 480 2788b0-2788b8 479->480 480->480 483 2788ba-2788c0 480->483 485 278896 482->485 486 27886c-278894 LocalAlloc WideCharToMultiByte 482->486 487 2788c6-2788cc 483->487 488 27894c-27897f WriteFile CloseHandle 483->488 485->479 486->479 492 2788d3-2788d6 487->492 493 2788ce-2788d1 487->493 490 278a97-278a9c 488->490 491 278985-2789a3 488->491 497 278aa2-278ab6 call 279620 490->497 498 278b3d-278b58 LocalFree 490->498 495 2789a5-2789bd MultiByteToWideChar 491->495 496 2789f8-2789fe 491->496 500 2788dd-2788e0 492->500 501 2788d8-2788db 492->501 493->492 499 278936-278938 493->499 502 2789f5 495->502 503 2789bf-2789ef LocalAlloc MultiByteToWideChar 495->503 505 278a00-278a07 496->505 506 278a09-278a17 496->506 513 278aba-278ae0 ShellExecuteW call 273cc0 497->513 514 278ab8 497->514 498->477 509 27893d-278946 499->509 507 2788e7-2788ee 500->507 508 2788e2-2788e5 500->508 501->499 501->500 502->496 503->502 505->505 505->506 511 278a20-278a2d 506->511 512 2788f0-2788f2 507->512 508->499 508->507 509->487 509->488 511->511 515 278a2f-278a36 511->515 516 2788f4-2788fa 512->516 517 2788fe-278903 512->517 528 278af4-278af7 513->528 529 278ae2-278af2 call 279020 513->529 514->513 519 278a5a-278a64 515->519 520 278a38-278a40 515->520 516->512 521 2788fc 516->521 517->499 522 278905-278934 517->522 526 278a66-278a73 519->526 524 278a55-278a57 520->524 525 278a42-278a44 520->525 521->522 522->509 524->519 530 278a46-278a53 525->530 526->526 527 278a75-278a80 526->527 531 278a82-278a83 LocalFree 527->531 532 278a89-278a90 527->532 528->498 534 278af9-278b0d call 279620 528->534 529->528 530->524 530->530 531->532 532->490 538 278b11-278b2e ShellExecuteW call 273cc0 534->538 539 278b0f 534->539 538->498 542 278b30-278b3a call 279020 538->542 539->538 542->498
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0027880D
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00278860
                                          • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 0027886F
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0027888B
                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 0027896B
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 00278977
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 002789B3
                                          • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 002789D2
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 002789EF
                                          • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 00278A83
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00278ACE
                                          • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00278B1C
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 00278B4B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                          • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                          • API String ID: 2199533872-3004881174
                                          • Opcode ID: baf786b08b12376364391422570e9d1ec84f3e26c485068e661047749bbb548e
                                          • Instruction ID: 327b55fee862e10794edd840e678dfc74b6c328de18ec2ba9017611d9aa76899
                                          • Opcode Fuzzy Hash: baf786b08b12376364391422570e9d1ec84f3e26c485068e661047749bbb548e
                                          • Instruction Fuzzy Hash: EEC1587196024A9FEB20DF68CC49BFFBBB5EF55300F148129E5089B2C1EB748955CB92
                                          Function 00297769 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(002D4AF8,00000FA0,?,?,00297747), ref: 00297775
                                          • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00297747), ref: 00297780
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00297747), ref: 00297791
                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002977A3
                                          • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002977B1
                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00297747), ref: 002977D4
                                          • DeleteCriticalSection.KERNEL32(002D4AF8,00000007,?,?,00297747), ref: 002977F0
                                          • CloseHandle.KERNEL32(00000000,?,?,00297747), ref: 00297800
                                          Strings
                                          • kernel32.dll, xrefs: 0029778C
                                          • SleepConditionVariableCS, xrefs: 0029779D
                                          • WakeAllConditionVariable, xrefs: 002977A9
                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0029777B
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                          • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                          • API String ID: 2565136772-3242537097
                                          • Opcode ID: df6cce3f6b3e2f80ed53144c401d3f5f1d11d047a7dbba4499977dab614a1b1e
                                          • Instruction ID: a5a4e5b327b34ae1d68feada53400f3522a0c7aa08d74820ce55ad7226a33e1d
                                          • Opcode Fuzzy Hash: df6cce3f6b3e2f80ed53144c401d3f5f1d11d047a7dbba4499977dab614a1b1e
                                          • Instruction Fuzzy Hash: FB017579BB5312ABEF213F74BC0DED67768AB46B51F090616F805D6290EBB0CC108665
                                          Function 00294F20 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 277COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00294F27
                                          • collate.LIBCPMT ref: 00294F33
                                            • Part of subcall function 00293E70: __EH_prolog3_GS.LIBCMT ref: 00293E77
                                            • Part of subcall function 00293E70: __Getcoll.LIBCPMT ref: 00293EDB
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • __Getcoll.LIBCPMT ref: 00294F76
                                            • Part of subcall function 00293CD4: __EH_prolog3.LIBCMT ref: 00293CDB
                                            • Part of subcall function 00293CD4: std::_Lockit::_Lockit.LIBCPMT ref: 00293CE5
                                            • Part of subcall function 00293CD4: std::_Lockit::~_Lockit.LIBCPMT ref: 00293D56
                                            • Part of subcall function 00284403: __EH_prolog3.LIBCMT ref: 0028440A
                                            • Part of subcall function 00284403: std::_Lockit::_Lockit.LIBCPMT ref: 00284414
                                            • Part of subcall function 00284403: std::_Lockit::~_Lockit.LIBCPMT ref: 002844BB
                                          • numpunct.LIBCPMT ref: 002951A6
                                            • Part of subcall function 002784C0: LocalAlloc.KERNEL32(00000040,00000000,0029839D,00000000,253C4779,?,00000000,?,00000000,?,002BCB8D,000000FF,?,002717D5,00000000,002BD3BA), ref: 002784C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
                                          • String ID: dJ-$hJ-$lJ-$pJ-$tJ-$xJ-$|J-
                                          • API String ID: 2732324234-2670148714
                                          • Opcode ID: b8bcdfda80d5112266327e56b9e8bac8117cd9f73198baa70163b023b1a31119
                                          • Instruction ID: 5baf175fecf06c4efbbfa8083c099ac0ed877d10beb408b14246f944ac0961c8
                                          • Opcode Fuzzy Hash: b8bcdfda80d5112266327e56b9e8bac8117cd9f73198baa70163b023b1a31119
                                          • Instruction Fuzzy Hash: 0591B771D316129BDF22BF658816B7F7AA8EF41350F11851EF85967281EF708D308BA1
                                          Function 0028D8F6 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 433COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0028D8FD
                                          • ctype.LIBCPMT ref: 0028D944
                                            • Part of subcall function 0028D458: __Getctype.LIBCPMT ref: 0028D467
                                            • Part of subcall function 002879C9: __EH_prolog3.LIBCMT ref: 002879D0
                                            • Part of subcall function 002879C9: std::_Lockit::_Lockit.LIBCPMT ref: 002879DA
                                            • Part of subcall function 002879C9: std::_Lockit::~_Lockit.LIBCPMT ref: 00287A4B
                                            • Part of subcall function 00287AF3: __EH_prolog3.LIBCMT ref: 00287AFA
                                            • Part of subcall function 00287AF3: std::_Lockit::_Lockit.LIBCPMT ref: 00287B04
                                            • Part of subcall function 00287AF3: std::_Lockit::~_Lockit.LIBCPMT ref: 00287B75
                                            • Part of subcall function 00287CB2: __EH_prolog3.LIBCMT ref: 00287CB9
                                            • Part of subcall function 00287CB2: std::_Lockit::_Lockit.LIBCPMT ref: 00287CC3
                                            • Part of subcall function 00287CB2: std::_Lockit::~_Lockit.LIBCPMT ref: 00287D34
                                            • Part of subcall function 00287C1D: __EH_prolog3.LIBCMT ref: 00287C24
                                            • Part of subcall function 00287C1D: std::_Lockit::_Lockit.LIBCPMT ref: 00287C2E
                                            • Part of subcall function 00287C1D: std::_Lockit::~_Lockit.LIBCPMT ref: 00287C9F
                                            • Part of subcall function 00284403: __EH_prolog3.LIBCMT ref: 0028440A
                                            • Part of subcall function 00284403: std::_Lockit::_Lockit.LIBCPMT ref: 00284414
                                            • Part of subcall function 00284403: std::_Lockit::~_Lockit.LIBCPMT ref: 002844BB
                                          • collate.LIBCPMT ref: 0028DA78
                                          • numpunct.LIBCPMT ref: 0028DCF2
                                            • Part of subcall function 0028838F: __EH_prolog3.LIBCMT ref: 00288396
                                            • Part of subcall function 002880C5: __EH_prolog3.LIBCMT ref: 002880CC
                                            • Part of subcall function 002880C5: std::_Lockit::_Lockit.LIBCPMT ref: 002880D6
                                            • Part of subcall function 002880C5: std::_Lockit::~_Lockit.LIBCPMT ref: 00288147
                                            • Part of subcall function 002881EF: __EH_prolog3.LIBCMT ref: 002881F6
                                            • Part of subcall function 002881EF: std::_Lockit::_Lockit.LIBCPMT ref: 00288200
                                            • Part of subcall function 002881EF: std::_Lockit::~_Lockit.LIBCPMT ref: 00288271
                                            • Part of subcall function 00284403: Concurrency::cancel_current_task.LIBCPMT ref: 002844C6
                                            • Part of subcall function 002875B6: __EH_prolog3.LIBCMT ref: 002875BD
                                            • Part of subcall function 002875B6: std::_Lockit::_Lockit.LIBCPMT ref: 002875C7
                                            • Part of subcall function 002875B6: std::_Lockit::~_Lockit.LIBCPMT ref: 00287638
                                          • __Getcoll.LIBCPMT ref: 0028DAB8
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                            • Part of subcall function 002784C0: LocalAlloc.KERNEL32(00000040,00000000,0029839D,00000000,253C4779,?,00000000,?,00000000,?,002BCB8D,000000FF,?,002717D5,00000000,002BD3BA), ref: 002784C6
                                          • codecvt.LIBCPMT ref: 0028DDA3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                          • String ID: I-$I-$I-$I-
                                          • API String ID: 613171289-350655722
                                          • Opcode ID: ec34004756d0433685d8ac1a7b7c1444232ac0e817179e9924ae9e4739abef35
                                          • Instruction ID: 53e68fcfc3c5d2cd065af2a2eb430207970956edd80d2235aeccfb0023ad574a
                                          • Opcode Fuzzy Hash: ec34004756d0433685d8ac1a7b7c1444232ac0e817179e9924ae9e4739abef35
                                          • Instruction Fuzzy Hash: 25E1E0798322069BDB11BF648C026BF7BA5EF413A0F25842EF958672D1DF708D349B91
                                          Function 0027F010 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000018,253C4779,?,00000000), ref: 0027F076
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027F0B3
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0027F11D
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027F2B9
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027F376
                                          • Concurrency::cancel_current_task.LIBCPMT ref: 0027F39E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name$false$true
                                          • API String ID: 975656625-1062449267
                                          • Opcode ID: ce3062fbbed6d61fef21606a44ae7688f57320dfea36dd240cc8985cf3616813
                                          • Instruction ID: aca7a06d1600e81df35863b028bb4b8152e30ef1ff413df4ca0ac19e11163337
                                          • Opcode Fuzzy Hash: ce3062fbbed6d61fef21606a44ae7688f57320dfea36dd240cc8985cf3616813
                                          • Instruction Fuzzy Hash: 67B1A2B1D15388DEEF20DFA4C9057DEBBF4AF14304F1481A9E848AB282E7759A58CF51
                                          Function 00276A60 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000400,00000000,?,253C4779,?,00000000), ref: 00276AC2
                                          • OpenProcess.KERNEL32(00000400,00000000,00000000,?,253C4779,?,00000000), ref: 00276AE3
                                          • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,253C4779,?,00000000), ref: 00276B16
                                          • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,253C4779,?,00000000), ref: 00276B27
                                          • CloseHandle.KERNEL32(00000000,?,253C4779,?,00000000), ref: 00276B45
                                          • CloseHandle.KERNEL32(00000000,?,253C4779,?,00000000), ref: 00276B61
                                          • CloseHandle.KERNEL32(00000000,?,253C4779,?,00000000), ref: 00276B89
                                          • CloseHandle.KERNEL32(00000000,?,253C4779,?,00000000), ref: 00276BA5
                                          • CloseHandle.KERNEL32(00000000,?,253C4779,?,00000000), ref: 00276BC3
                                          • CloseHandle.KERNEL32(00000000,?,253C4779,?,00000000), ref: 00276BDF
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CloseHandle$Process$OpenTimes
                                          • String ID:
                                          • API String ID: 1711917922-0
                                          • Opcode ID: d5da2f0e5587254495b2c5d9c8c0caa292fa0c7f32e23ddab3baeab74ebf6be5
                                          • Instruction ID: f8f3b3e9ae1de5ecaf608b561d6613ba8cea58718a29b21b5cb5f36aa9f43f82
                                          • Opcode Fuzzy Hash: d5da2f0e5587254495b2c5d9c8c0caa292fa0c7f32e23ddab3baeab74ebf6be5
                                          • Instruction Fuzzy Hash: 71518EB0D21619EBDB10CF98C988BEEFBB4AF49718F208219E518B7280D7745915CBA4
                                          Function 00290834 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0029083B
                                            • Part of subcall function 0028780A: __EH_prolog3.LIBCMT ref: 00287811
                                            • Part of subcall function 0028780A: std::_Lockit::_Lockit.LIBCPMT ref: 0028781B
                                            • Part of subcall function 0028780A: std::_Lockit::~_Lockit.LIBCPMT ref: 0028788C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1538362411-2891247106
                                          • Opcode ID: 36e644b0f4ee6d2df790e7a680fc1ec392e6ac9b37c23c4db3acf80e2890a0a9
                                          • Instruction ID: 3e592ccac3a75b7ca3c02e438df35863357b26b0b7cb2f20bb2a6e05c344935b
                                          • Opcode Fuzzy Hash: 36e644b0f4ee6d2df790e7a680fc1ec392e6ac9b37c23c4db3acf80e2890a0a9
                                          • Instruction Fuzzy Hash: 8DC1A07656010EAFDF18DF68C9E5DFE7BADEB09718F140129FA42A3251D670DA20CB60
                                          Function 002959E2 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002959E9
                                            • Part of subcall function 0027C590: std::_Lockit::_Lockit.LIBCPMT ref: 0027C5BD
                                            • Part of subcall function 0027C590: std::_Lockit::_Lockit.LIBCPMT ref: 0027C5E0
                                            • Part of subcall function 0027C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0027C608
                                            • Part of subcall function 0027C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0027C6A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1383202999-2891247106
                                          • Opcode ID: be5b9490ac35d882249eedc22239df9c08d6e954f9bbbf08e58f0cbfe39aab50
                                          • Instruction ID: 0606e5d26b630642e41d92cb411cc382567a5cf5396f1e8e89bfd781de349d5d
                                          • Opcode Fuzzy Hash: be5b9490ac35d882249eedc22239df9c08d6e954f9bbbf08e58f0cbfe39aab50
                                          • Instruction Fuzzy Hash: 03C1A67662051AAFDF1ADF58C969DFF3BF8EF09304F14451AFA06A2255D630DA20CB60
                                          Function 00290C24 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00290C2B
                                            • Part of subcall function 0027B500: std::_Lockit::_Lockit.LIBCPMT ref: 0027B52D
                                            • Part of subcall function 0027B500: std::_Lockit::_Lockit.LIBCPMT ref: 0027B550
                                            • Part of subcall function 0027B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0027B578
                                            • Part of subcall function 0027B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0027B617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1383202999-2891247106
                                          • Opcode ID: 5f0069fb42e6de7206d7f05ba24892a958465910c79ba4842e3e3be4d6d2d1f5
                                          • Instruction ID: 632a9355923c465290e701a65c6b3a4047918ebd6716dfd06c8eb1f6b37c5e97
                                          • Opcode Fuzzy Hash: 5f0069fb42e6de7206d7f05ba24892a958465910c79ba4842e3e3be4d6d2d1f5
                                          • Instruction Fuzzy Hash: 94C17F7652010EAFDF28DFA8C9D5DFF7BB9EB09300F144519FA46A2691D670DA20CB60
                                          Function 002765B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00276090: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002760F4
                                            • Part of subcall function 00276090: GetLastError.KERNEL32 ref: 00276190
                                          • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00276632
                                          • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 0027668B
                                          • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 00276712
                                          • ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 002767F6
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0027686E
                                          • GetLastError.KERNEL32(?,00000000), ref: 002768C9
                                          • FreeLibrary.KERNEL32(?,?,00000000), ref: 0027691E
                                          Strings
                                          • NtQueryInformationProcess, xrefs: 0027662C
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead$ErrorFreeLast$AddressDirectoryLibraryLocalProcSystem
                                          • String ID: NtQueryInformationProcess
                                          • API String ID: 253270903-2781105232
                                          • Opcode ID: bd66a7d3492013abe00afdeddc9f71f8932132f92b94ccf4fa730cd29cd46db8
                                          • Instruction ID: 4fb13c95d7541b75ea1a8a65438a5a6217cdf1239212dbd1f1382774e2dd0a42
                                          • Opcode Fuzzy Hash: bd66a7d3492013abe00afdeddc9f71f8932132f92b94ccf4fa730cd29cd46db8
                                          • Instruction Fuzzy Hash: ACB17F70D20749DADB20CF64C9497AEBBF4FF48308F10465DE449A6290E7B966D8CB91
                                          Function 0028D491 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 0028D498
                                          • _Maklocstr.LIBCPMT ref: 0028D501
                                          • _Maklocstr.LIBCPMT ref: 0028D513
                                          • _Maklocchr.LIBCPMT ref: 0028D52B
                                          • _Maklocchr.LIBCPMT ref: 0028D53B
                                          • _Getvals.LIBCPMT ref: 0028D55D
                                            • Part of subcall function 0028708B: _Maklocchr.LIBCPMT ref: 002870BA
                                            • Part of subcall function 0028708B: _Maklocchr.LIBCPMT ref: 002870D0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                          • String ID: false$true
                                          • API String ID: 3549167292-2658103896
                                          • Opcode ID: 172b987da6fbbf57084acb91e10f6ccf2d98247108e8ac1afe99231959a27392
                                          • Instruction ID: 601b3f3018a22c145621c3de99097640e21543ee231e33f6dedf79ea05b9feff
                                          • Opcode Fuzzy Hash: 172b987da6fbbf57084acb91e10f6ccf2d98247108e8ac1afe99231959a27392
                                          • Instruction Fuzzy Hash: BF219175D21308AADF15FFA4D846A8F7BA8AF05710F10805AF8199F186EB70D524CFA1
                                          Function 0027C9C0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00285C66: __EH_prolog3.LIBCMT ref: 00285C6D
                                            • Part of subcall function 00285C66: std::_Lockit::_Lockit.LIBCPMT ref: 00285C78
                                            • Part of subcall function 00285C66: std::locale::_Setgloballocale.LIBCPMT ref: 00285C93
                                            • Part of subcall function 00285C66: std::_Lockit::~_Lockit.LIBCPMT ref: 00285CE6
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027CA1A
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0027CA80
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027CB4F
                                            • Part of subcall function 002845A7: __EH_prolog3.LIBCMT ref: 002845AE
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027CC00
                                          • LocalFree.KERNEL32(?,?,?,002CB6C9,00000000,002CB6C9), ref: 0027CD01
                                          • __cftoe.LIBCMT ref: 0027CE5E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
                                          • String ID: bad locale name
                                          • API String ID: 2085124900-1405518554
                                          • Opcode ID: b8a264c69c50fb5a3a3d74e2d2ea3a14f88548dbe4bcce131e573c456ab27719
                                          • Instruction ID: 54e3e0b8be638bd5e6ec4bc5aca9d52f65018a6dfe9fd9f322e727d065aa15f4
                                          • Opcode Fuzzy Hash: b8a264c69c50fb5a3a3d74e2d2ea3a14f88548dbe4bcce131e573c456ab27719
                                          • Instruction Fuzzy Hash: 6F12AF71D11249DFDF11DFA8C845BAEBBB5EF09304F24816DE809AB381E735AA14CB91
                                          Function 0029B22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • type_info::operator==.LIBVCRUNTIME ref: 0029B34B
                                          • ___TypeMatch.LIBVCRUNTIME ref: 0029B459
                                          • _UnwindNestedFrames.LIBCMT ref: 0029B5AB
                                          • CallUnexpected.LIBVCRUNTIME ref: 0029B5C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                          • String ID: csm$csm$csm
                                          • API String ID: 2751267872-393685449
                                          • Opcode ID: fad1118712905d1342134d21fe7219548f1276c0778cb7bb4fa589938c1f7e01
                                          • Instruction ID: 8644df24cfa4c169b10dd32508ee734c71815da18333905be8b15731ac970815
                                          • Opcode Fuzzy Hash: fad1118712905d1342134d21fe7219548f1276c0778cb7bb4fa589938c1f7e01
                                          • Instruction Fuzzy Hash: 09B18A7182020AEFCF16DFA4EA819AEB7B5FF14310F55416AE8056B212C731DA71CF91
                                          Function 00280260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00280322
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00280367
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 002803DE
                                          • LocalFree.KERNEL32(?), ref: 0028041B
                                          • LocalFree.KERNEL32(?,?,?,?,?,253C4779,253C4779,?,?), ref: 00280546
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree$___std_exception_copy
                                          • String ID: ios_base::failbit set$iostream
                                          • API String ID: 2276494016-302468714
                                          • Opcode ID: fcebc9728eb834585023cd9474f02e7d4908d855097491031d20507cd8ab067a
                                          • Instruction ID: 591b69bad36fd4ab9af94b3c38352c1bacf5f7db0ac175ab10b7c74e5f241e69
                                          • Opcode Fuzzy Hash: fcebc9728eb834585023cd9474f02e7d4908d855097491031d20507cd8ab067a
                                          • Instruction Fuzzy Hash: EAA1E1B5D212089FDB08DF68D884BAEBBB5FB48310F10826DE815AB2C1DB709954CB91
                                          Function 00272BD0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • #224.MSI(?,00000001,00000000,00000000,00000000), ref: 00272C43
                                          • LocalFree.KERNEL32(?), ref: 00272CA2
                                          • LocalFree.KERNEL32(?), ref: 00272D0C
                                          • CertFreeCertificateContext.CRYPT32(00000000), ref: 00272E94
                                            • Part of subcall function 00273D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00273DA3
                                          • LocalFree.KERNEL32(?), ref: 00272E13
                                          • LocalFree.KERNEL32(?), ref: 00272E6B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Free$Local$Cert$#224CertificateContextNameString
                                          • String ID: H:-
                                          • API String ID: 2665452496-3787360102
                                          • Opcode ID: cb88825cac58e772580d183f2148c62eb33d1b7add833b9cf039374d5a15c595
                                          • Instruction ID: 1241118ea0aa3b03c02513cbdf0922cb883b44233b679ffcf1136ea4c0bc4d86
                                          • Opcode Fuzzy Hash: cb88825cac58e772580d183f2148c62eb33d1b7add833b9cf039374d5a15c595
                                          • Instruction Fuzzy Hash: 6491BE70D20249CFDB18CFA8C548B9EFBB5FF44304F24861DD449AB291DBB5AA98CB50
                                          Function 0027BA30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000044,253C4779,?,00000000), ref: 0027BA8B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027BAC8
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0027BB35
                                          • __Getctype.LIBCPMT ref: 0027BB7E
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027BBF2
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027BCAF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name
                                          • API String ID: 3635123611-1405518554
                                          • Opcode ID: dc5e92b8e198ef117745a965dcc100f7216497e23b366f33143e0cb9b628f8cb
                                          • Instruction ID: 82ba5491281eba56ad0482389babb3aebdf4506dfaa3907b60b7d367df20e5ad
                                          • Opcode Fuzzy Hash: dc5e92b8e198ef117745a965dcc100f7216497e23b366f33143e0cb9b628f8cb
                                          • Instruction Fuzzy Hash: BF8191B0D15348DFEF21DFA8C94578EBBF4AF14304F24819DD848AB282EB759A54CB61
                                          Function 0027C220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000018,253C4779,?,00000000,?,?,?,?,?,?,?,00000000,002BABC5,000000FF), ref: 0027C264
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027C29E
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0027C302
                                          • __Getctype.LIBCPMT ref: 0027C34B
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027C391
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027C445
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name
                                          • API String ID: 3635123611-1405518554
                                          • Opcode ID: 9ad6e3f3d3b7dd05a9ffc1eaa7fdd98a6a86962bc095a43283fe55b1a101da85
                                          • Instruction ID: 0a1c82284a56862001fba3ce11f8d19732399fe13444f567c96711ab295839b8
                                          • Opcode Fuzzy Hash: 9ad6e3f3d3b7dd05a9ffc1eaa7fdd98a6a86962bc095a43283fe55b1a101da85
                                          • Instruction Fuzzy Hash: 98615DB1D11288EAEF10DFE8C9087DEBBF4AF15304F248199E454AB381E7B59A18CB51
                                          Function 0029743E Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 002974C9
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00297557
                                          • __alloca_probe_16.LIBCMT ref: 00297581
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002975C9
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 002975E3
                                          • __alloca_probe_16.LIBCMT ref: 00297609
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00297646
                                          • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00297663
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                          • String ID:
                                          • API String ID: 3603178046-0
                                          • Opcode ID: 042ee2dcd98f8b6edbc4c73df0594f87c09a29670c87eedea91839368a94e6aa
                                          • Instruction ID: 8f8e88a80a415d556c78d1f44d273843818746aeec14c16bcce90405b104715c
                                          • Opcode Fuzzy Hash: 042ee2dcd98f8b6edbc4c73df0594f87c09a29670c87eedea91839368a94e6aa
                                          • Instruction Fuzzy Hash: A671B47293864B9FDF218FA8CC45AEF7FBAEF49354F550025E845A6151EB71C820CB60
                                          Function 00296F23 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,0027C6DF,?,00000001,00000000,?,00000000,?,0027C6DF,?), ref: 00296F6C
                                          • __alloca_probe_16.LIBCMT ref: 00296F98
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,0027C6DF,?,?,00000000,0027CCD3,0000003F,?), ref: 00296FD7
                                          • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0027C6DF,?,?,00000000,0027CCD3,0000003F), ref: 00296FF4
                                          • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,0027C6DF,?,?,00000000,0027CCD3,0000003F), ref: 00297033
                                          • __alloca_probe_16.LIBCMT ref: 00297050
                                          • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0027C6DF,?,?,00000000,0027CCD3,0000003F), ref: 00297092
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,0027C6DF,?,?,00000000,0027CCD3,0000003F,?), ref: 002970B5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                          • String ID:
                                          • API String ID: 2040435927-0
                                          • Opcode ID: 2a27ce7cc8844403d55e35312fd02302b8cbace4f2dcaa7b8ebfc1f621780412
                                          • Instruction ID: 12586f227bf0d875e2a3083677518581b156d82cda82b33ea8dbcee06b76f6df
                                          • Opcode Fuzzy Hash: 2a27ce7cc8844403d55e35312fd02302b8cbace4f2dcaa7b8ebfc1f621780412
                                          • Instruction Fuzzy Hash: FC518D7253420AABEF209F64DC49FAB7BAAEF44750F154129F905A7190EB719D208BA0
                                          Function 00275940 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempFileNameW.KERNEL32(?,URL,00000000,?,253C4779,?,00000004), ref: 002759AA
                                          • LocalFree.KERNEL32(?), ref: 00275ABB
                                          • MoveFileW.KERNEL32(?,00000000), ref: 00275D5B
                                          • DeleteFileW.KERNEL32(?), ref: 00275DA3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: File$DeleteFreeLocalMoveNameTemp
                                          • String ID: URL$url
                                          • API String ID: 1622375482-346267919
                                          • Opcode ID: c34ba7b1930094b825d4f169e4ae42c2e9171dfb062c705eb91bc543aa2e1100
                                          • Instruction ID: 80d21e2d660050d6c3ee389343eb7a74ee65c5d599ae4ed19449d88ad0297a07
                                          • Opcode Fuzzy Hash: c34ba7b1930094b825d4f169e4ae42c2e9171dfb062c705eb91bc543aa2e1100
                                          • Instruction Fuzzy Hash: B9024870A246698BCB24DF28CD98B9DF7B5BF54304F1082D9D409A7251EBB4ABD4CF80
                                          Function 0027F5E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,0000000C,253C4779,?,00000000,00000000,?,?,?,?,00000000,002BB2D1,000000FF,?,0027EBCA,00000000), ref: 0027F624
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027F65A
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0027F6BE
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027F77E
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027F832
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name
                                          • API String ID: 2968629171-1405518554
                                          • Opcode ID: e8c59c59cc0197266f13205b02aab7b23b72b34a9c2d74e5df6524a09f7c369e
                                          • Instruction ID: bab4a39b8ac3af49fbf2419f96bd8e6376852ba578b1707245f3c447caa29240
                                          • Opcode Fuzzy Hash: e8c59c59cc0197266f13205b02aab7b23b72b34a9c2d74e5df6524a09f7c369e
                                          • Instruction Fuzzy Hash: F371BFB0D15249EBEF11CFA8C9447CEBFB4AF15314F248169E814BB381D7B59A14CBA2
                                          Function 0027F3B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000008,253C4779,?,00000000,00000000,?,?,?,00000000,002BB1DD,000000FF,?,0027ED0A,00000000,?), ref: 0027F3F4
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027F42A
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0027F48E
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027F4FE
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027F5B2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name
                                          • API String ID: 2968629171-1405518554
                                          • Opcode ID: ed5117ebe111838c2fbee057c185a809cadea8ee982da5858fff1e47d1f59837
                                          • Instruction ID: b680bc06f0f7bb1fd603cf103ab84a7fde2a336a376b0b3c6f3f9870a87784d0
                                          • Opcode Fuzzy Hash: ed5117ebe111838c2fbee057c185a809cadea8ee982da5858fff1e47d1f59837
                                          • Instruction Fuzzy Hash: 2E61AFB0D15389EBEF10CFA8C9447CEBBB4AF14304F248169E844AB381D7B59A14CB61
                                          Function 00298D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 00298D67
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00298D6F
                                          • _ValidateLocalCookies.LIBCMT ref: 00298DF8
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00298E23
                                          • _ValidateLocalCookies.LIBCMT ref: 00298E78
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: f3047d7d1bb2361f0f960f5178e9820856df07fc7219b1554559c4a5a1c7642c
                                          • Instruction ID: 75190c68e09dc48ba0794f555f89b92d1098d8c291496d0ebc7bd193f1147bba
                                          • Opcode Fuzzy Hash: f3047d7d1bb2361f0f960f5178e9820856df07fc7219b1554559c4a5a1c7642c
                                          • Instruction Fuzzy Hash: 2541A734A202099BCF10DF68C884A9E7BB6BF46314F188555ED199B392DB71EE21CF91
                                          Function 002AC96B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(00000000,?,002ACA78,?,?,?,00000000,?,?,002ACCA2,00000021,FlsSetValue,002C1E00,002C1E08,?), ref: 002ACA2C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 3664257935-537541572
                                          • Opcode ID: 73c59f65af161478ff2259c8e154410d40b50f7453af3e35d24004cb0ff1f5a3
                                          • Instruction ID: 6e51475593c9a16fecd01c31fe72a12735ee03550e575b05d21493bb93ed0658
                                          • Opcode Fuzzy Hash: 73c59f65af161478ff2259c8e154410d40b50f7453af3e35d24004cb0ff1f5a3
                                          • Instruction Fuzzy Hash: 7121D836A21216ABCB21DF64BC49BBA37589F477A4F350221E915A7291EE70ED20C6D0
                                          Function 002783E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 62libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(yG<%,253C4779,?,?,00000000,002BA221,000000FF), ref: 0027847B
                                            • Part of subcall function 00297875: EnterCriticalSection.KERNEL32(002D4AF8,00000000,?,?,002725B6,002D571C,253C4779,?,00000000,002B93ED,000000FF,?,00271A26), ref: 00297880
                                            • Part of subcall function 00297875: LeaveCriticalSection.KERNEL32(002D4AF8,?,?,002725B6,002D571C,253C4779,?,00000000,002B93ED,000000FF,?,00271A26,?,?,?,253C4779), ref: 002978BD
                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00278440
                                          • GetProcAddress.KERNEL32(00000000), ref: 00278447
                                            • Part of subcall function 0029782B: EnterCriticalSection.KERNEL32(002D4AF8,?,?,00272627,002D571C,002BCCC0), ref: 00297835
                                            • Part of subcall function 0029782B: LeaveCriticalSection.KERNEL32(002D4AF8,?,?,00272627,002D571C,002BCCC0), ref: 00297868
                                            • Part of subcall function 0029782B: RtlWakeAllConditionVariable.NTDLL ref: 002978DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                          • String ID: IsWow64Process$kernel32$yG<%
                                          • API String ID: 2056477612-2070697408
                                          • Opcode ID: 3606555832e23a3be107021b579abdce46655388ce45e047ca9a5a75be7b67f5
                                          • Instruction ID: 082dda976746333615e95e568edcac74becca04d6ee08f9bda38433e75a8621f
                                          • Opcode Fuzzy Hash: 3606555832e23a3be107021b579abdce46655388ce45e047ca9a5a75be7b67f5
                                          • Instruction Fuzzy Hash: 1211AF72D55B15EFDB10CFA4FC09BA9B7A8FB09720F10466AE81593380EBB56910CA51
                                          Function 00282823 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0028282A
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00282834
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • numpunct.LIBCPMT ref: 0028286E
                                          • std::_Facet_Register.LIBCPMT ref: 00282885
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002828A5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                          • String ID: tH-
                                          • API String ID: 743221004-3519447270
                                          • Opcode ID: c11d576c49bc3887dfa468b0c8440972de9a4b659f82398b9b8e00412fe61b62
                                          • Instruction ID: b8dbeb14b1b958424b4e2f43fb3d43f4d8d5ed493e63e4e14c0eeec375004c27
                                          • Opcode Fuzzy Hash: c11d576c49bc3887dfa468b0c8440972de9a4b659f82398b9b8e00412fe61b62
                                          • Instruction Fuzzy Hash: E211E53992211ADBCF05FF64D855ABD77A1AF84710F28400EE411A73D1EF709E258F91
                                          Function 00288030 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00288037
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00288041
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • numpunct.LIBCPMT ref: 0028807B
                                          • std::_Facet_Register.LIBCPMT ref: 00288092
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002880B2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                          • String ID: I-
                                          • API String ID: 743221004-2153069733
                                          • Opcode ID: 559ca2fc2f9b92c761282a47d733b8df8c67fc9aced6f20f580c53dc8c82a59c
                                          • Instruction ID: 6f4ffe36bc9e62a72ff401eadb96cf01674ba5c223e6f515fea7c495a6a0c53c
                                          • Opcode Fuzzy Hash: 559ca2fc2f9b92c761282a47d733b8df8c67fc9aced6f20f580c53dc8c82a59c
                                          • Instruction Fuzzy Hash: 4A01D63A9225298BCF01FFA4D8456BD7761AF80310F28440AF4146B3D2EF709E258F80
                                          Function 00282664 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0028266B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00282675
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • codecvt.LIBCPMT ref: 002826AF
                                          • std::_Facet_Register.LIBCPMT ref: 002826C6
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002826E6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID: xH-
                                          • API String ID: 712880209-3638327682
                                          • Opcode ID: d20b3cf489df8eb5203888a5776244663b08df8e921f994b813a884ab613b8c7
                                          • Instruction ID: 3e6c041e132fcd6446fd8678ae345c88b02997ed3d40adc8aabd0d8e67a8205b
                                          • Opcode Fuzzy Hash: d20b3cf489df8eb5203888a5776244663b08df8e921f994b813a884ab613b8c7
                                          • Instruction Fuzzy Hash: 0701C43992126ADBCB05FB64DC056BD7765AF80310F28440AE414AB2D1EF709E259F80
                                          Function 002876E0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002876E7
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002876F1
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • collate.LIBCPMT ref: 0028772B
                                          • std::_Facet_Register.LIBCPMT ref: 00287742
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID: I-
                                          • API String ID: 1007100420-2153069733
                                          • Opcode ID: fc9794ae6fcc333b15a81da207024179e68b76de813573c7061d6912cac20075
                                          • Instruction ID: 298bdd669d6a98dde6e53d0b19e68ebba53bc28ab9a83358d870dfc5a9e80f0d
                                          • Opcode Fuzzy Hash: fc9794ae6fcc333b15a81da207024179e68b76de813573c7061d6912cac20075
                                          • Instruction Fuzzy Hash: 3801D23D9266299BCF05FF64D8056AEB761AF84310F28450AE8196B3D2DF709E21CF80
                                          Function 002938C1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002938C8
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002938D2
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • collate.LIBCPMT ref: 0029390C
                                          • std::_Facet_Register.LIBCPMT ref: 00293923
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00293943
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID: dJ-
                                          • API String ID: 1007100420-4292231444
                                          • Opcode ID: c997710927522aeabb0c4d8e86f212704ec204e5abb835bc67c120cb1a3095ee
                                          • Instruction ID: 29cf1e16a040b9a40f4e04dcccb0c6270d8e1a6a50ad6651b96432e5c8ae2f1f
                                          • Opcode Fuzzy Hash: c997710927522aeabb0c4d8e86f212704ec204e5abb835bc67c120cb1a3095ee
                                          • Instruction Fuzzy Hash: 0901D63592162A8BCF01FF64D8157BE7765AF84320F244409E4146B3D1EF709F218F84
                                          Function 00293956 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0029395D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00293967
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • messages.LIBCPMT ref: 002939A1
                                          • std::_Facet_Register.LIBCPMT ref: 002939B8
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002939D8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID: hJ-
                                          • API String ID: 2750803064-4140611696
                                          • Opcode ID: cb9d744dc589750f946d2d189182b59a473efd8b4634c057f6f954fa4db1b907
                                          • Instruction ID: 02ff93afd26ab61f118fbf99d7465b1e1651ec5fb92b051047a04cac84ba4693
                                          • Opcode Fuzzy Hash: cb9d744dc589750f946d2d189182b59a473efd8b4634c057f6f954fa4db1b907
                                          • Instruction Fuzzy Hash: 0201C0399216299BCF01FB64D81A7AD77A5AF80320F28440AF4146B3D1DF709E21CF80
                                          Function 00293B15 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00293B1C
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00293B26
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • moneypunct.LIBCPMT ref: 00293B60
                                          • std::_Facet_Register.LIBCPMT ref: 00293B77
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00293B97
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID: xJ-
                                          • API String ID: 419941038-3941210880
                                          • Opcode ID: 38be4b2cb7edf7ab88039d90ba3b5f0b9b7e5a45613f3de1dac4c5689f1e94c0
                                          • Instruction ID: d7ee9c9aaa02fdf053687925919b3006017a4e07890b27d9c10a23e2b8e6ca19
                                          • Opcode Fuzzy Hash: 38be4b2cb7edf7ab88039d90ba3b5f0b9b7e5a45613f3de1dac4c5689f1e94c0
                                          • Instruction Fuzzy Hash: 9801D6359306299BCF05FF64D8556AEB761AF80314F24440AE418AB3D1DF749E218F80
                                          Function 00293BAA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00293BB1
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00293BBB
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • moneypunct.LIBCPMT ref: 00293BF5
                                          • std::_Facet_Register.LIBCPMT ref: 00293C0C
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00293C2C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID: tJ-
                                          • API String ID: 419941038-3824214628
                                          • Opcode ID: 71d3fa8ad466abe35a792443dcbfceed5440e5e1270c05d4d7dcacbe52d1a74c
                                          • Instruction ID: 03881e80da9a611e7a02427bf5be9b40a32e76f5bdb8e303a583406f6a78a67e
                                          • Opcode Fuzzy Hash: 71d3fa8ad466abe35a792443dcbfceed5440e5e1270c05d4d7dcacbe52d1a74c
                                          • Instruction Fuzzy Hash: 7001C03992162A9BCF15FF64D8156ADB7A2AF80310F28450AE414BB2D1DF709E21CF80
                                          Function 00276C20 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 183memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,40000022,253C4779,?,00000000,?,?,?,?,002B9DA0,000000FF,?,00276432,00000000,?), ref: 00276CC4
                                          • LocalAlloc.KERNEL32(00000040,3FFFFFFF,253C4779,?,00000000,?,?,?,?,002B9DA0,000000FF,?,00276432,00000000,?), ref: 00276CE7
                                          • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,002B9DA0,000000FF,?,00276432,00000000), ref: 00276D87
                                          • LocalFree.KERNEL32(?,253C4779,00000000,002B93B0,000000FF,?,00000000,00000000,002B9DA0,000000FF,253C4779), ref: 00276E0D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree
                                          • String ID: 2d'$2d'
                                          • API String ID: 2012307162-3996174082
                                          • Opcode ID: 49452900a80e0fad924f5d2d5e1f315bf227ab9098f3911094aab6f7e8938136
                                          • Instruction ID: 545fb418e82eeff74b4854a2c15cc50c65d0d726521f77c4d160bc4f572894ea
                                          • Opcode Fuzzy Hash: 49452900a80e0fad924f5d2d5e1f315bf227ab9098f3911094aab6f7e8938136
                                          • Instruction Fuzzy Hash: FF51A875A206069FDB18DF68D989BAEB7B5FB49310F14822DE819E7380D731AD10CB90
                                          Function 0027B500 Relevance: 9.2, APIs: 6, Instructions: 152COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027B52D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027B550
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027B578
                                          • std::_Facet_Register.LIBCPMT ref: 0027B5ED
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027B617
                                          • LocalFree.KERNEL32 ref: 0027B6C0
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
                                          • String ID:
                                          • API String ID: 1378673503-0
                                          • Opcode ID: a797dff0bed9ed4eb17292e0e8ae645dc4fda84d60466db3b104832cb5ccf6b7
                                          • Instruction ID: 25c9c894fc990af983b6b2f14c0b208c0948f95b3fa3773c62944da7402780bd
                                          • Opcode Fuzzy Hash: a797dff0bed9ed4eb17292e0e8ae645dc4fda84d60466db3b104832cb5ccf6b7
                                          • Instruction Fuzzy Hash: 4751C171C21659DFCB21DF58E845B9ABBF8FB04320F24865AE815A7390D770AE10CB91
                                          Function 002A5981 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16
                                          • String ID: a/p$am/pm
                                          • API String ID: 3509577899-3206640213
                                          • Opcode ID: cfe579d94cbcf502b9ed2cc4d4d55dc649b3ab0efd5c3db4ee9229212ae646b8
                                          • Instruction ID: 88ab791bc67a1a3db2b66caed9aaee5ea0e6ee872ca85e355e0fff341fc725f6
                                          • Opcode Fuzzy Hash: cfe579d94cbcf502b9ed2cc4d4d55dc649b3ab0efd5c3db4ee9229212ae646b8
                                          • Instruction Fuzzy Hash: FFC10431930E27DBCB248F68C489ABBB7B0FF07314F244149E505AB659DB719D61CBA1
                                          Function 0029AEF5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,0029AEEC,00299710,002985A3), ref: 0029AF03
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0029AF11
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0029AF2A
                                          • SetLastError.KERNEL32(00000000,0029AEEC,00299710,002985A3), ref: 0029AF7C
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: cd2b3a3b491c37d424edaf788b8bd0bbd32c429b5f257fa4fc5ed427d0f8981d
                                          • Instruction ID: f91c03567a86d1af64a718261370e2a9d4e14ec2eccec8e8cb71823305f30695
                                          • Opcode Fuzzy Hash: cd2b3a3b491c37d424edaf788b8bd0bbd32c429b5f257fa4fc5ed427d0f8981d
                                          • Instruction Fuzzy Hash: 1B01477253E3126EAF24AB75FC8DA662744DB02BB1730032AF114624E1FF534D3066C6
                                          Function 002845A7 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 186COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002845AE
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                            • Part of subcall function 002784C0: LocalAlloc.KERNEL32(00000040,00000000,0029839D,00000000,253C4779,?,00000000,?,00000000,?,002BCB8D,000000FF,?,002717D5,00000000,002BD3BA), ref: 002784C6
                                            • Part of subcall function 0027C0B0: __Getctype.LIBCPMT ref: 0027C112
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$AllocGetctypeH_prolog3LocalLockit::_Lockit::~_
                                          • String ID: lH-$pH-$tH-$xH-
                                          • API String ID: 3791111190-4209041057
                                          • Opcode ID: dc1674f45a2252fb46cd58f668c1b94400708527987104988575a51c12ce0f53
                                          • Instruction ID: 8e33ef1fa954f8bcbf1cfcea761af714efb893a31090a075d707bdb28d46943f
                                          • Opcode Fuzzy Hash: dc1674f45a2252fb46cd58f668c1b94400708527987104988575a51c12ce0f53
                                          • Instruction Fuzzy Hash: 7E51EBB9932217ABDB117F658C46A7F7A6CEF02354F14842AF908961C1EF749D308BE1
                                          Function 0028D38D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Mpunct$GetvalsH_prolog3
                                          • String ID: $+xv
                                          • API String ID: 2204710431-1686923651
                                          • Opcode ID: 689707f20cfe5fe7a8db1d9078096504537811c07d55e799dbaf199555e062e7
                                          • Instruction ID: 43921b85b2e9e87b83a44c50f2c311b7750ad29eba255501b63cd98d4b6ff358
                                          • Opcode Fuzzy Hash: 689707f20cfe5fe7a8db1d9078096504537811c07d55e799dbaf199555e062e7
                                          • Instruction Fuzzy Hash: 8321A1B5814A926FDB25EF74845073BBFF8AB09300B08455AE499C7A82D734EA25CF90
                                          Function 002826F9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00282700
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0028270A
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 0028275B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0028277B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID: lH-
                                          • API String ID: 2854358121-3287511598
                                          • Opcode ID: 5e1cd7e729ca438ec25e0ce26b3f43039c618d46e767512f19474cedf8617bcb
                                          • Instruction ID: 3380a80a327849cf97a183b3dc70e6539d356f7fc9148fba76e784d8ac1e51a9
                                          • Opcode Fuzzy Hash: 5e1cd7e729ca438ec25e0ce26b3f43039c618d46e767512f19474cedf8617bcb
                                          • Instruction Fuzzy Hash: 9E01D239921229DBCB01FBA4D8096BDB7A1AF84310F28450AE814AB3D1DF709E259F80
                                          Function 0028278E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00282795
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0028279F
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 002827F0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00282810
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID: pH-
                                          • API String ID: 2854358121-3603900474
                                          • Opcode ID: 016ac2c1058d3d804e6fd89e54de18d2f709fa6382b4ba9d1ceb7942c1d64feb
                                          • Instruction ID: 9194f14ee07899c5c1edead73a5ff6dff160c09ed0f7730f5f878c0712f95b6b
                                          • Opcode Fuzzy Hash: 016ac2c1058d3d804e6fd89e54de18d2f709fa6382b4ba9d1ceb7942c1d64feb
                                          • Instruction Fuzzy Hash: D201D239921269DBCF05FB64E805AAE77A5AF80310F28450AE414AB3D2DF749E258F90
                                          Function 002939EB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002939F2
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002939FC
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00293A4D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00293A6D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID: lJ-
                                          • API String ID: 2854358121-4056223916
                                          • Opcode ID: b86bb3d38f06900d127a5c1d964199cd9bed01edbad3611f90b2178f648a13dd
                                          • Instruction ID: 59fdd7b868115aad668dbce4b31ddadc4782761bb4b361ff52b195664a4b51a2
                                          • Opcode Fuzzy Hash: b86bb3d38f06900d127a5c1d964199cd9bed01edbad3611f90b2178f648a13dd
                                          • Instruction Fuzzy Hash: 1601C0399206299BCF01FBA4D8156AD7B61EF80310F29440AE8156B3D1DF709F218F81
                                          Function 00293A80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00293A87
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00293A91
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00293AE2
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00293B02
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID: pJ-
                                          • API String ID: 2854358121-3841542840
                                          • Opcode ID: a1d7834a13f58e344c64a590e1b5459c6c8c9a766ef2a1fbf152decd52d9fd3b
                                          • Instruction ID: fcbae23a7e79bce06ce838044a9d755333f79812faab6d02844f38439d6ec1f2
                                          • Opcode Fuzzy Hash: a1d7834a13f58e344c64a590e1b5459c6c8c9a766ef2a1fbf152decd52d9fd3b
                                          • Instruction Fuzzy Hash: D001D23992022A9BCF12FF64D8166BE7771AF80310F28440AE415AB3D1DF709E21CF80
                                          Function 00293C3F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00293C46
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00293C50
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00293CA1
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00293CC1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID: |J-
                                          • API String ID: 2854358121-3991122908
                                          • Opcode ID: 4d27bafdd97a06ccdcccdefce3d3607ffcb52c6e5f0734428c74875d005698fd
                                          • Instruction ID: 5550ee9ce272b01a01801b9f19b3b0eca0fbf30d32738414592e9aa6cd5aa5b9
                                          • Opcode Fuzzy Hash: 4d27bafdd97a06ccdcccdefce3d3607ffcb52c6e5f0734428c74875d005698fd
                                          • Instruction Fuzzy Hash: EF01C039920A2A9BCF01FBA4D8156ADB771AF84710F28440AE8146B3D1DF709E218F80
                                          Function 00287E71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287E78
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287E82
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00287ED3
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287EF3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID: I-
                                          • API String ID: 2854358121-2153069733
                                          • Opcode ID: 43e8c3d6898a1956f50749a2d73cb931a563606e8b748c4d04ef0a3a2b745b11
                                          • Instruction ID: 13f6b0d4fdfb07768f0a14d783d0d854d73710a41062d1d1ace170b3ae0d43de
                                          • Opcode Fuzzy Hash: 43e8c3d6898a1956f50749a2d73cb931a563606e8b748c4d04ef0a3a2b745b11
                                          • Instruction Fuzzy Hash: 4201D63D92212A9BCF01FF64D8156BE77A1AF80310F284449F814677D1DF709E218F80
                                          Function 00287F9B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287FA2
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287FAC
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00287FFD
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0028801D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID: I-
                                          • API String ID: 2854358121-2153069733
                                          • Opcode ID: 69a83ee3916a94dc5f422a0f2195ad6857d4f819eff0b3df26dc0d3bf714557e
                                          • Instruction ID: 2121582fa288dd4cd5fa91da2637f93f6fcf80c8daa087d173d6bfc4124b6425
                                          • Opcode Fuzzy Hash: 69a83ee3916a94dc5f422a0f2195ad6857d4f819eff0b3df26dc0d3bf714557e
                                          • Instruction Fuzzy Hash: EE01D63D922229DBCB01FFA4D8556BD77A1AF80320F28440AF4146B3D1DF709E218F81
                                          Function 002A8461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,253C4779,?,?,00000000,002BCBE4,000000FF,?,002A83F1,?,?,002A83C5,?), ref: 002A8496
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002A84A8
                                          • FreeLibrary.KERNEL32(00000000,?,00000000,002BCBE4,000000FF,?,002A83F1,?,?,002A83C5,?), ref: 002A84CA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: a109a79a8944562df097825125fe76643a906e4c7e0058dd53504a5bc3248e9a
                                          • Instruction ID: 2a5f3a24ddcd00a1681e12a237836c67e2c20db106c0a6ed9b2059d33893500e
                                          • Opcode Fuzzy Hash: a109a79a8944562df097825125fe76643a906e4c7e0058dd53504a5bc3248e9a
                                          • Instruction Fuzzy Hash: 4701A275924626ABCB018F54EC09FEEBBB8FB09B14F044629E915A2290EB749D10CA90
                                          Function 0028DDD2 Relevance: 7.9, APIs: 5, Instructions: 433COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0028DDD9
                                          • collate.LIBCPMT ref: 0028DF54
                                          • numpunct.LIBCPMT ref: 0028E1CE
                                            • Part of subcall function 002883C2: __EH_prolog3.LIBCMT ref: 002883C9
                                            • Part of subcall function 0028815A: __EH_prolog3.LIBCMT ref: 00288161
                                            • Part of subcall function 0028815A: std::_Lockit::_Lockit.LIBCPMT ref: 0028816B
                                            • Part of subcall function 0028815A: std::_Lockit::~_Lockit.LIBCPMT ref: 002881DC
                                            • Part of subcall function 0027EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 0027EB1D
                                            • Part of subcall function 0027EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 0027EB40
                                            • Part of subcall function 0027EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027EB68
                                            • Part of subcall function 0027EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027EC07
                                            • Part of subcall function 00284403: Concurrency::cancel_current_task.LIBCPMT ref: 002844C6
                                            • Part of subcall function 0028764B: __EH_prolog3.LIBCMT ref: 00287652
                                            • Part of subcall function 0028764B: std::_Lockit::_Lockit.LIBCPMT ref: 0028765C
                                            • Part of subcall function 0028764B: std::_Lockit::~_Lockit.LIBCPMT ref: 002876CD
                                          • __Getcoll.LIBCPMT ref: 0028DF94
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                            • Part of subcall function 002784C0: LocalAlloc.KERNEL32(00000040,00000000,0029839D,00000000,253C4779,?,00000000,?,00000000,?,002BCB8D,000000FF,?,002717D5,00000000,002BD3BA), ref: 002784C6
                                            • Part of subcall function 0027B9E0: __Getctype.LIBCPMT ref: 0027B9EB
                                            • Part of subcall function 00287A5E: __EH_prolog3.LIBCMT ref: 00287A65
                                            • Part of subcall function 00287A5E: std::_Lockit::_Lockit.LIBCPMT ref: 00287A6F
                                            • Part of subcall function 00287A5E: std::_Lockit::~_Lockit.LIBCPMT ref: 00287AE0
                                            • Part of subcall function 00287B88: __EH_prolog3.LIBCMT ref: 00287B8F
                                            • Part of subcall function 00287B88: std::_Lockit::_Lockit.LIBCPMT ref: 00287B99
                                            • Part of subcall function 00287B88: std::_Lockit::~_Lockit.LIBCPMT ref: 00287C0A
                                            • Part of subcall function 00287DDC: __EH_prolog3.LIBCMT ref: 00287DE3
                                            • Part of subcall function 00287DDC: std::_Lockit::_Lockit.LIBCPMT ref: 00287DED
                                            • Part of subcall function 00287DDC: std::_Lockit::~_Lockit.LIBCPMT ref: 00287E5E
                                            • Part of subcall function 00287D47: __EH_prolog3.LIBCMT ref: 00287D4E
                                            • Part of subcall function 00287D47: std::_Lockit::_Lockit.LIBCPMT ref: 00287D58
                                            • Part of subcall function 00287D47: std::_Lockit::~_Lockit.LIBCPMT ref: 00287DC9
                                            • Part of subcall function 00284403: __EH_prolog3.LIBCMT ref: 0028440A
                                            • Part of subcall function 00284403: std::_Lockit::_Lockit.LIBCPMT ref: 00284414
                                            • Part of subcall function 00284403: std::_Lockit::~_Lockit.LIBCPMT ref: 002844BB
                                          • codecvt.LIBCPMT ref: 0028E27F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
                                          • String ID:
                                          • API String ID: 2252558201-0
                                          • Opcode ID: 71fb6f525402dc82570c273717aa43d60758b2616a129e0ff17a8a43e4d896ee
                                          • Instruction ID: 9f4551b50e805c890a8ff5735bfe1209851bc1c9c72cc4910c76c3b8589949b8
                                          • Opcode Fuzzy Hash: 71fb6f525402dc82570c273717aa43d60758b2616a129e0ff17a8a43e4d896ee
                                          • Instruction Fuzzy Hash: AEE1E27983221A9BDF117F648C066BF7BA5EF51350F15842EF9186B2C1EB708D309B91
                                          Function 002AC382 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                          Download Yara Rule
                                          APIs
                                          • __alloca_probe_16.LIBCMT ref: 002AC409
                                          • __alloca_probe_16.LIBCMT ref: 002AC4CA
                                          • __freea.LIBCMT ref: 002AC531
                                            • Part of subcall function 002AB127: HeapAlloc.KERNEL32(00000000,?,?,?,002AAAAA,?,00000000,?,0029C282,?,?,?,?,?,?,00271668), ref: 002AB159
                                          • __freea.LIBCMT ref: 002AC546
                                          • __freea.LIBCMT ref: 002AC556
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16$AllocHeap
                                          • String ID:
                                          • API String ID: 1096550386-0
                                          • Opcode ID: 77214bc32d38e9f0febae38d5bc3e499b48b5b43158ecefbb759a7cf2afa41ed
                                          • Instruction ID: 85ed641285c4154c000545d2af040e71f4378f5c5be0d41fa13d81f71a1dcdb0
                                          • Opcode Fuzzy Hash: 77214bc32d38e9f0febae38d5bc3e499b48b5b43158ecefbb759a7cf2afa41ed
                                          • Instruction Fuzzy Hash: C451C572A30206AFEF215F64CC41EBB37A9EF46350B654129FD04E6251EE71DC308BA0
                                          Function 00274A80 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 169memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 00274B05
                                          • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 00274B25
                                          • LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 00274BAB
                                          • LocalFree.KERNEL32(00000000,253C4779,00000000,00000000,Function_000492C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 00274C2D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree
                                          • String ID: _B'
                                          • API String ID: 2012307162-4293142643
                                          • Opcode ID: 3b45c78ff7f4c8f69f9fb028b44b422c56645c66e688b1665869e0ece77ec9c2
                                          • Instruction ID: f0375c6397b13e7976d163e5294043cbeb71a8e32283dc89feb3bd3fac571619
                                          • Opcode Fuzzy Hash: 3b45c78ff7f4c8f69f9fb028b44b422c56645c66e688b1665869e0ece77ec9c2
                                          • Instruction Fuzzy Hash: 72510632A142159FC714EF28DC41B6AB7E9FB89314F144B6EF81AD7290DB70ED208B91
                                          Function 0027C590 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027C5BD
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027C5E0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027C608
                                          • std::_Facet_Register.LIBCPMT ref: 0027C67D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027C6A7
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: c965bbc79bc92bc1bcae2a12a4140399678022d30ee7aec7e0bf2b112d6745a1
                                          • Instruction ID: 2746aa5b7626a230a4c81be4bf1364086909e23fa681052031d61fc541f5414d
                                          • Opcode Fuzzy Hash: c965bbc79bc92bc1bcae2a12a4140399678022d30ee7aec7e0bf2b112d6745a1
                                          • Instruction Fuzzy Hash: E041AF75C11269DFCB11DF68E885BAEBBB8EF44310F24815EE818A7291D770AE14CF91
                                          Function 0027EAF0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027EB1D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027EB40
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027EB68
                                          • std::_Facet_Register.LIBCPMT ref: 0027EBDD
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027EC07
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: e8117d87c60a7fe8a246e44103a15d5ed0d4ca2dc1d0f1f9a637ccf5a700f47f
                                          • Instruction ID: d7062d9a94a99b2ef644347b2fbbb4d72106471dcf893a2ac260086b86264911
                                          • Opcode Fuzzy Hash: e8117d87c60a7fe8a246e44103a15d5ed0d4ca2dc1d0f1f9a637ccf5a700f47f
                                          • Instruction Fuzzy Hash: 0141F270D11269CFDF11DF58D844B9EBBB4FB08314F15819AE805A7391D730AE14CBA1
                                          Function 0027EC30 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027EC5D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027EC80
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027ECA8
                                          • std::_Facet_Register.LIBCPMT ref: 0027ED1D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027ED47
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: 40d86f2b6fcf1b253d04d1735a08bee27664664972ca439c4562ab92c4b649b4
                                          • Instruction ID: 158037287229265d796efd9a01ac98d145d51c77ba3152eb1790e8b5c8eb0103
                                          • Opcode Fuzzy Hash: 40d86f2b6fcf1b253d04d1735a08bee27664664972ca439c4562ab92c4b649b4
                                          • Instruction Fuzzy Hash: D241CF75C21269DFDF21DF58D844BAEBBB4FB04320F15829AE804A7291D730AE14CFA1
                                          Function 0027ED70 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027ED9D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027EDC0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027EDE8
                                          • std::_Facet_Register.LIBCPMT ref: 0027EE5D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027EE87
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: 5d434da468049e70780b7c0e8640e2529722e3131b6f1c955b591db2274726de
                                          • Instruction ID: 25016d6e02d1b80491e0033a6e58563e86af0e5cd706ca976891fc3523fc8bb2
                                          • Opcode Fuzzy Hash: 5d434da468049e70780b7c0e8640e2529722e3131b6f1c955b591db2274726de
                                          • Instruction Fuzzy Hash: C041E331C2125ADFDF11DF58D8447AEBBB4FB04324F15869AE814A7391D730AE54CBA1
                                          Function 00277C30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000010,00000010,?,00277912,?,?), ref: 00277C37
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                          • API String ID: 1452528299-1782174991
                                          • Opcode ID: bab0062820d4c87d1d29f1bedeb1e5a795505f940afe0bad10c8fb8f3b9841ce
                                          • Instruction ID: 695779519f45cc42f732cd1f180b8b67838466c3b61220ce6dfb15c65b77acdd
                                          • Opcode Fuzzy Hash: bab0062820d4c87d1d29f1bedeb1e5a795505f940afe0bad10c8fb8f3b9841ce
                                          • Instruction Fuzzy Hash: 6D214549A302A286CB751F3C8401336A2F0EF58755F65586FE8CCDB390EB7A8CD28390
                                          Function 00286FF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Maklocstr$Maklocchr
                                          • String ID:
                                          • API String ID: 2020259771-0
                                          • Opcode ID: f0334a0e9ca1171e484c82680fdf6b27fc8263aaf50f6d860b3787e6d49e4bd1
                                          • Instruction ID: 0ff856cc2be3aa926c6a4b7dc55a7256255c84d347daf63542c2dad162c32ed5
                                          • Opcode Fuzzy Hash: f0334a0e9ca1171e484c82680fdf6b27fc8263aaf50f6d860b3787e6d49e4bd1
                                          • Instruction Fuzzy Hash: 40118FB5518744BBE720EFA59881F12B7ACBF08354F244519F5858BA81D265FC608BA4
                                          Function 002875B6 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002875BD
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002875C7
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • codecvt.LIBCPMT ref: 00287601
                                          • std::_Facet_Register.LIBCPMT ref: 00287618
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287638
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID:
                                          • API String ID: 712880209-0
                                          • Opcode ID: 49b3766b7b3403477495bcdcda3d04be270e46451fe20f0e9ee35dd19425b9a0
                                          • Instruction ID: cd48caa40828d89c3092d799e6412525bac2cde6b82e46b8c1a9780acd5a8c4b
                                          • Opcode Fuzzy Hash: 49b3766b7b3403477495bcdcda3d04be270e46451fe20f0e9ee35dd19425b9a0
                                          • Instruction Fuzzy Hash: E201D6399256699BCF01FF78D8056AD7765AF80310F284409E815AB3D2EF74DE21CF80
                                          Function 0028764B Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287652
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0028765C
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • codecvt.LIBCPMT ref: 00287696
                                          • std::_Facet_Register.LIBCPMT ref: 002876AD
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002876CD
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID:
                                          • API String ID: 712880209-0
                                          • Opcode ID: 5c9d6e329e9913f1dc202c33601a0db3daac28b87e6db9e072f427aa888f7beb
                                          • Instruction ID: 8f914adf84db0db450453bf00cc0d57252a59d58da0ce2d345bde3f4bd8a6aac
                                          • Opcode Fuzzy Hash: 5c9d6e329e9913f1dc202c33601a0db3daac28b87e6db9e072f427aa888f7beb
                                          • Instruction Fuzzy Hash: 1F01D6399319298BCF05FB64D8456BD7765AF84310F35440AE8146B3D1EF70DE219F80
                                          Function 00287775 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0028777C
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287786
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • collate.LIBCPMT ref: 002877C0
                                          • std::_Facet_Register.LIBCPMT ref: 002877D7
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002877F7
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID:
                                          • API String ID: 1007100420-0
                                          • Opcode ID: 448db4655cae7d05dd289659cd8246d0e184d6c15c85f8ad9819d80bf2a06468
                                          • Instruction ID: 9990c240eb2c716fdfad3df4333cb2b63c3ce65a15a2f411450a36dcbd269e03
                                          • Opcode Fuzzy Hash: 448db4655cae7d05dd289659cd8246d0e184d6c15c85f8ad9819d80bf2a06468
                                          • Instruction Fuzzy Hash: 8E01C03992522ADBCB02FB64D8056AEB771AF80310F28454AE4146B3D2DF709E21CF90
                                          Function 0028780A Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287811
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0028781B
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • ctype.LIBCPMT ref: 00287855
                                          • std::_Facet_Register.LIBCPMT ref: 0028786C
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0028788C
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                          • String ID:
                                          • API String ID: 83828444-0
                                          • Opcode ID: 01055a7fcee9bbae8a634bcab94fa5bf7cfcdcc6cbb7e8530829e36c99fec3dc
                                          • Instruction ID: 88e570580cdec57d1b22e22b970008ca3d25b69f3a715c00d4426488b1c64fd4
                                          • Opcode Fuzzy Hash: 01055a7fcee9bbae8a634bcab94fa5bf7cfcdcc6cbb7e8530829e36c99fec3dc
                                          • Instruction Fuzzy Hash: 4B01D239D2662A8BCB05FBA4D8096BD7761AF80310F28450AE815AB3D1DF709E21DF80
                                          Function 0028789F Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002878A6
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002878B0
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • messages.LIBCPMT ref: 002878EA
                                          • std::_Facet_Register.LIBCPMT ref: 00287901
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287921
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID:
                                          • API String ID: 2750803064-0
                                          • Opcode ID: f9bf0872c1880810483b01fde3a99543c15dfb8f357135e1f9255adc4658c74b
                                          • Instruction ID: 3fbab55b0a6726a26637b976da172ed6ce8b3a14bf71c078a6229194a747c355
                                          • Opcode Fuzzy Hash: f9bf0872c1880810483b01fde3a99543c15dfb8f357135e1f9255adc4658c74b
                                          • Instruction Fuzzy Hash: 0F01C4399211298BCB01FB64D8456AE7761AF80310F38450AE818672D2DF749E21CF90
                                          Function 00287934 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0028793B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287945
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • messages.LIBCPMT ref: 0028797F
                                          • std::_Facet_Register.LIBCPMT ref: 00287996
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002879B6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID:
                                          • API String ID: 2750803064-0
                                          • Opcode ID: 929c6a409bd16af344657a5f9c8b04cbefa0c0db81e2bbacd0980d753e6470a0
                                          • Instruction ID: 6c590b38f7d89bd19242e2b482f724c57703e9adf54bf36731989c7ee813423e
                                          • Opcode Fuzzy Hash: 929c6a409bd16af344657a5f9c8b04cbefa0c0db81e2bbacd0980d753e6470a0
                                          • Instruction Fuzzy Hash: 9E01D239D2262A8BCF01FF64D8056AE7762AF80310F28440AF8187B3D1DF709E218F91
                                          Function 00287C1D Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287C24
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287C2E
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • moneypunct.LIBCPMT ref: 00287C68
                                          • std::_Facet_Register.LIBCPMT ref: 00287C7F
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287C9F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: 2c0953d9263965d4ebbe07696ced8908d8b7aa9dd9e414f3335102ceeb36837d
                                          • Instruction ID: 054a94c8728ecba85e81d74b71163c853066748007c5a5585cdc900d8b0fe549
                                          • Opcode Fuzzy Hash: 2c0953d9263965d4ebbe07696ced8908d8b7aa9dd9e414f3335102ceeb36837d
                                          • Instruction Fuzzy Hash: 0901D23992262A8FCB11FB64D9457BE77B1AF80310F28440AE8146B3D2DF749E218F80
                                          Function 00287CB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287CB9
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287CC3
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • moneypunct.LIBCPMT ref: 00287CFD
                                          • std::_Facet_Register.LIBCPMT ref: 00287D14
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287D34
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: cde216334a7e729a6ccf3be2782788844ca072eee6f1f4ae74f3c686cd24b1a5
                                          • Instruction ID: 0a989313703f46d6b6cabff6baf35d92d9750c8c80f6ab42a62c19e5dcaae865
                                          • Opcode Fuzzy Hash: cde216334a7e729a6ccf3be2782788844ca072eee6f1f4ae74f3c686cd24b1a5
                                          • Instruction Fuzzy Hash: 5001D63992562A9BCF05FB64D8156BE7761BF84310F28450AF8156B3D2DF749E218F80
                                          Function 00287D47 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287D4E
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287D58
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • moneypunct.LIBCPMT ref: 00287D92
                                          • std::_Facet_Register.LIBCPMT ref: 00287DA9
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287DC9
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: a25c59dd981e638f64730c5f7b4969a8939902278aa452385c9b1e312b52d72d
                                          • Instruction ID: f298d87246211cb5afd5885ed4eb5f908f787e616bfcece7b8aee8adc4decdd9
                                          • Opcode Fuzzy Hash: a25c59dd981e638f64730c5f7b4969a8939902278aa452385c9b1e312b52d72d
                                          • Instruction Fuzzy Hash: C501D639D2152A8BCB01FF64D8456BD77A1AF85310F38440AF814673D1DF709E218F80
                                          Function 00287DDC Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287DE3
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287DED
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • moneypunct.LIBCPMT ref: 00287E27
                                          • std::_Facet_Register.LIBCPMT ref: 00287E3E
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287E5E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: f461bdeaa8dad92b8389f5c8d1c97cc71ea5291c05742b30f4d75cd39a587fee
                                          • Instruction ID: f58ea818fd67951887d42dd2320482d30097c84b55ddc88355c587f07d4d17cb
                                          • Opcode Fuzzy Hash: f461bdeaa8dad92b8389f5c8d1c97cc71ea5291c05742b30f4d75cd39a587fee
                                          • Instruction Fuzzy Hash: 1A0100398226299BCB01FF64D8456BE7761AF80310F38444AE8106B3D2DF309E218F80
                                          Function 0029782B Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(002D4AF8,?,?,00272627,002D571C,002BCCC0), ref: 00297835
                                          • LeaveCriticalSection.KERNEL32(002D4AF8,?,?,00272627,002D571C,002BCCC0), ref: 00297868
                                          • RtlWakeAllConditionVariable.NTDLL ref: 002978DF
                                          • SetEvent.KERNEL32(?,00272627,002D571C,002BCCC0), ref: 002978E9
                                          • ResetEvent.KERNEL32(?,00272627,002D571C,002BCCC0), ref: 002978F5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                          • String ID:
                                          • API String ID: 3916383385-0
                                          • Opcode ID: c7ed0bb69a126ef7dc3bc545a3cc803f4ce2e59e55b9b51baa82feed36bd8b24
                                          • Instruction ID: 24a11d25be30d6769fe043942ebd200cd896fbe105e1edddf930b13050fc35ae
                                          • Opcode Fuzzy Hash: c7ed0bb69a126ef7dc3bc545a3cc803f4ce2e59e55b9b51baa82feed36bd8b24
                                          • Instruction Fuzzy Hash: 7E018C36E56221DBC704FF18FC5CA943B64FB09301B05452BF80693360CBB05D01DB94
                                          Function 00283C2E Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 339COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00283C35
                                            • Part of subcall function 00282823: __EH_prolog3.LIBCMT ref: 0028282A
                                            • Part of subcall function 00282823: std::_Lockit::_Lockit.LIBCPMT ref: 00282834
                                            • Part of subcall function 00282823: std::_Lockit::~_Lockit.LIBCPMT ref: 002828A5
                                            • Part of subcall function 0027A2B0: LocalAlloc.KERNEL32(00000040,80000023,00000000,?,?,?,?,00283F08,00000001,?,00000000,?,?,00000001,?,?), ref: 0027A2F3
                                            • Part of subcall function 0027A2B0: LocalFree.KERNEL32(7FFFFFFF,?,?), ref: 0027A399
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: LocalLockitstd::_$AllocFreeH_prolog3H_prolog3_Lockit::_Lockit::~_
                                          • String ID: 0123456789ABCDEFabcdef-+Xx$=J($hcK(
                                          • API String ID: 1009823702-4233917332
                                          • Opcode ID: e044dd82c33744b1010c7b5a90216fc6bf1756aba05a618c4c58a13a3ffc7ea0
                                          • Instruction ID: 71ef0d92cb546d5ad8e9a557f335100e32174aed15e1d633148c367aff307332
                                          • Opcode Fuzzy Hash: e044dd82c33744b1010c7b5a90216fc6bf1756aba05a618c4c58a13a3ffc7ea0
                                          • Instruction Fuzzy Hash: F9D1D338E262899FDF15EFA4C4407ECBBB2AF15700F244499D8856B2C3C7709E65CB90
                                          Function 00276090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002760F4
                                          • GetLastError.KERNEL32 ref: 00276190
                                            • Part of subcall function 00271FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,002B938D,000000FF,?,80070057,?,?,00000000,00000010,00271B09,?), ref: 00272040
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,002CB2DC,00000001,00000000), ref: 0027614E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
                                          • String ID: ntdll.dll
                                          • API String ID: 4113295189-2227199552
                                          • Opcode ID: 7004275620d7e8b254e5642dad1d3f6f4b1a188b4d91791d2e164ba5bc2a1387
                                          • Instruction ID: bc74519ca4816339ec6efd9cacb71f24d45d6abf8c6f00751381398e17aa898f
                                          • Opcode Fuzzy Hash: 7004275620d7e8b254e5642dad1d3f6f4b1a188b4d91791d2e164ba5bc2a1387
                                          • Instruction Fuzzy Hash: 6C31B271A106059BDB20DF68DC49BAEB7F8FF44710F148A1DE429D72C1EBB0A914CB51
                                          Function 0028D2C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0028D2C9
                                            • Part of subcall function 00286FF9: _Maklocstr.LIBCPMT ref: 00287019
                                            • Part of subcall function 00286FF9: _Maklocstr.LIBCPMT ref: 00287036
                                            • Part of subcall function 00286FF9: _Maklocstr.LIBCPMT ref: 00287053
                                            • Part of subcall function 00286FF9: _Maklocchr.LIBCPMT ref: 00287065
                                            • Part of subcall function 00286FF9: _Maklocchr.LIBCPMT ref: 00287078
                                          • _Mpunct.LIBCPMT ref: 0028D356
                                          • _Mpunct.LIBCPMT ref: 0028D370
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                          • String ID: $+xv
                                          • API String ID: 2939335142-1686923651
                                          • Opcode ID: 4559cc4a99c3b8e958f61b72ca848e07fa6ea3e679048481574121e1153c81a6
                                          • Instruction ID: b6fe12c5d9508541f8f0b0cf11c741960f2baedd359f565bd675d0eb37abab36
                                          • Opcode Fuzzy Hash: 4559cc4a99c3b8e958f61b72ca848e07fa6ea3e679048481574121e1153c81a6
                                          • Instruction Fuzzy Hash: B421B2B5814B926FDB25EF74849073BBFF8AB09300B08455AE459C7A81D734E625CF91
                                          Function 00294DF4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Mpunct$H_prolog3
                                          • String ID: $+xv
                                          • API String ID: 4281374311-1686923651
                                          • Opcode ID: 418673278f4e03edc417bcfef306b5f762431e20e157610c9b5cf3f1fed2ed31
                                          • Instruction ID: 300c13e6f0c7879829363ecc6ac3e060467fd8e897aa711c5e03c7a5bad99e33
                                          • Opcode Fuzzy Hash: 418673278f4e03edc417bcfef306b5f762431e20e157610c9b5cf3f1fed2ed31
                                          • Instruction Fuzzy Hash: A221A1B1814A926EDB21EF758450B7BBEE8AB09300F04455AE499C7A42D734E622CF90
                                          Function 0029C012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0029BFC3,00000000,?,002D4EA4,?,?,?,0029C166,00000004,InitializeCriticalSectionEx,002BF92C,InitializeCriticalSectionEx), ref: 0029C01F
                                          • GetLastError.KERNEL32(?,0029BFC3,00000000,?,002D4EA4,?,?,?,0029C166,00000004,InitializeCriticalSectionEx,002BF92C,InitializeCriticalSectionEx,00000000,?,0029BF1D), ref: 0029C029
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0029C051
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID: api-ms-
                                          • API String ID: 3177248105-2084034818
                                          • Opcode ID: 228a62ec9afa8e92fe548b9b7b0b758e304cfc1ff5cd8f350a45394edde33b81
                                          • Instruction ID: 758e7a317013ca47115c65168d89b507e41493331a16a439fcf1e6a908e42ed2
                                          • Opcode Fuzzy Hash: 228a62ec9afa8e92fe548b9b7b0b758e304cfc1ff5cd8f350a45394edde33b81
                                          • Instruction Fuzzy Hash: A8E048302A4209F7DF201F61FC0AF993B559F01B55F204430F90CE40E0E762E96195C4
                                          Function 0027E350 Relevance: 6.4, APIs: 4, Instructions: 426COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: FreeLocal_strcspn
                                          • String ID:
                                          • API String ID: 2585785616-0
                                          • Opcode ID: 4ab54ad27f5728a6d191afa43846831ca8ebc78843b631e4477348eb143361b2
                                          • Instruction ID: e6444ad9dc8e1768453abc06b0eb486e61ad1f7c3c9c634e90d858dae7d20d92
                                          • Opcode Fuzzy Hash: 4ab54ad27f5728a6d191afa43846831ca8ebc78843b631e4477348eb143361b2
                                          • Instruction Fuzzy Hash: A1F16975A10249DFDF14CFA8C884AEEBBB9FF48304F1581A9E819EB251D731A951CF60
                                          Function 002B738B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleOutputCP.KERNEL32(253C4779,?,00000000,?), ref: 002B73EE
                                            • Part of subcall function 002B002B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,002AC527,?,00000000,-00000008), ref: 002B00D7
                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002B7649
                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002B7691
                                          • GetLastError.KERNEL32 ref: 002B7734
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                          • String ID:
                                          • API String ID: 2112829910-0
                                          • Opcode ID: 1a804f8742c3c5cd75c9bba99da4d8d404c7fcc33e6572ca4fc106965259e120
                                          • Instruction ID: a550678af6691141d170998f05ccf8fbb651f1ab9ccd00b1fbe6dd746478b25f
                                          • Opcode Fuzzy Hash: 1a804f8742c3c5cd75c9bba99da4d8d404c7fcc33e6572ca4fc106965259e120
                                          • Instruction Fuzzy Hash: CAD188B5D146589FCB11CFA8D884AEDBBB9FF48340F18852AE855EB391D730A912CF50
                                          Function 00288872 Relevance: 6.3, APIs: 4, Instructions: 313COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: _strcspn$H_prolog3_ctype
                                          • String ID:
                                          • API String ID: 838279627-0
                                          • Opcode ID: f77774ebfe694cca4f848ed02e8c8b2245eaa47877178d213996b29b7430ad67
                                          • Instruction ID: df3f87fc594b48bc3aaa4d4edd1669a2f290cf6df6949d47798b40bc7cca0b90
                                          • Opcode Fuzzy Hash: f77774ebfe694cca4f848ed02e8c8b2245eaa47877178d213996b29b7430ad67
                                          • Instruction Fuzzy Hash: 94C18D759212099FDF14EF94C980AEEBBB9FF48300F64401AE805A7291DB30AE65CF61
                                          Function 00282A16 Relevance: 6.3, APIs: 4, Instructions: 310COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: _strcspn$H_prolog3_ctype
                                          • String ID:
                                          • API String ID: 838279627-0
                                          • Opcode ID: 13dd9e8162ee22834d7f0e044683bdd8175eb9ba19a7f1b0c1364931c5006e31
                                          • Instruction ID: f07f7bf920d466cbf4d311e32393bfe0b283ec729e1fcac078a0444febdeb9c4
                                          • Opcode Fuzzy Hash: 13dd9e8162ee22834d7f0e044683bdd8175eb9ba19a7f1b0c1364931c5006e31
                                          • Instruction Fuzzy Hash: C0C1827592120ADFDF15EF94C981AEEBBB9FF08310F144119E805A7291D730AE69CFA1
                                          Function 0029AFD5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: AdjustPointer
                                          • String ID:
                                          • API String ID: 1740715915-0
                                          • Opcode ID: 7d859d8aea820dab61bd6e970c9de91316590ba1a79f5d8a652d113da091dc80
                                          • Instruction ID: 76569505cf86a6c77850e140027062c2f75f8f5d2abf46a44d2a5fe0c9685798
                                          • Opcode Fuzzy Hash: 7d859d8aea820dab61bd6e970c9de91316590ba1a79f5d8a652d113da091dc80
                                          • Instruction Fuzzy Hash: C751D376625302AFEF2A8F14EA55B6B77A4FF40310F14452DEC1A97291E731ECA0CB90
                                          Function 0027C9B1 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027CA1A
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0027CA80
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027CB4F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_$Locinfo_ctorLocinfo_dtorLockitLockit::_
                                          • String ID:
                                          • API String ID: 2022693140-0
                                          • Opcode ID: e1b995b3e961ebd8a79355a49fd43c2fde3fd6e8d995df87964f3cefb01b00d1
                                          • Instruction ID: 30e1be1bdb9fac3ac528e04e8817c229f202413a26d81554f8617100afe582fa
                                          • Opcode Fuzzy Hash: e1b995b3e961ebd8a79355a49fd43c2fde3fd6e8d995df87964f3cefb01b00d1
                                          • Instruction Fuzzy Hash: 2251B0B1D15288DAEF11CFB4C94579EBFB4AF15304F2880ADD444A7382E3769A18CB62
                                          Function 002A7B18 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 293a91b8d0cf9b5dde4f3adabb020df9c637048e700958491a6092373b88f2d6
                                          • Instruction ID: b3de95d2a48873b2802b9d6175647c93e8ce356e8070dd386da0fb242b175cb2
                                          • Opcode Fuzzy Hash: 293a91b8d0cf9b5dde4f3adabb020df9c637048e700958491a6092373b88f2d6
                                          • Instruction Fuzzy Hash: D921A4B1228206AF8F20AF71CC40D6B77ADAF423687108D25F91597251EF70DC608BB8
                                          Function 00279020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,00000000,76C15490,00278B3A,00000000,?,?,?,?,?,?,?,00000000,002BA285,000000FF), ref: 00279027
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                          • API String ID: 1452528299-1781106413
                                          • Opcode ID: 5f515cf4a1be348a5bdcd46419c602743c22476a9b87608e0c6386e56ca9a68f
                                          • Instruction ID: 74bf09ad3614630453a9a4d2e94aa27c31d665b4ae6d62ae70bc366409d08708
                                          • Opcode Fuzzy Hash: 5f515cf4a1be348a5bdcd46419c602743c22476a9b87608e0c6386e56ca9a68f
                                          • Instruction Fuzzy Hash: 0D217949A3026286CB341F2C880573AA2F0AF54755F65852FE8CDC7390FA7A8CD1C391
                                          Function 00284403 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0028440A
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00284414
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002844BB
                                          • Concurrency::cancel_current_task.LIBCPMT ref: 002844C6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                          • String ID:
                                          • API String ID: 4244582100-0
                                          • Opcode ID: 3a0e9aa88789dfac09ea23bbca9d6f5b0737778bf380b1937bc0aada736fa746
                                          • Instruction ID: 0dd24f2a48b4dec4e31607c70646a6cedf3bd08a102563790b8961ea216ba996
                                          • Opcode Fuzzy Hash: 3a0e9aa88789dfac09ea23bbca9d6f5b0737778bf380b1937bc0aada736fa746
                                          • Instruction Fuzzy Hash: 02212738A216269FDB04FF14C895AA8B765FF49710F04855AE9169B7E1DF70ED20CF80
                                          Function 00281400 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,253C4779), ref: 0028143C
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0028145C
                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0028148D
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 002814A6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandlePointerWrite
                                          • String ID:
                                          • API String ID: 3604237281-0
                                          • Opcode ID: 6c66452a09ab03c09252143da9be608ef634a01e11a7320c4d819b991ec91abd
                                          • Instruction ID: 8e771f67a58899bac5dfc068e7d8ebe3819be609f37a1906bc616ee977a091fc
                                          • Opcode Fuzzy Hash: 6c66452a09ab03c09252143da9be608ef634a01e11a7320c4d819b991ec91abd
                                          • Instruction Fuzzy Hash: 22218174951319EBD720DF54DC0AFAABBB8FB05B24F10461AF510A72C0D7B46A45CBD4
                                          Function 00272510 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00297875: EnterCriticalSection.KERNEL32(002D4AF8,00000000,?,?,002725B6,002D571C,253C4779,?,00000000,002B93ED,000000FF,?,00271A26), ref: 00297880
                                            • Part of subcall function 00297875: LeaveCriticalSection.KERNEL32(002D4AF8,?,?,002725B6,002D571C,253C4779,?,00000000,002B93ED,000000FF,?,00271A26,?,?,?,253C4779), ref: 002978BD
                                          • GetProcessHeap.KERNEL32 ref: 00272565
                                            • Part of subcall function 0029782B: EnterCriticalSection.KERNEL32(002D4AF8,?,?,00272627,002D571C,002BCCC0), ref: 00297835
                                            • Part of subcall function 0029782B: LeaveCriticalSection.KERNEL32(002D4AF8,?,?,00272627,002D571C,002BCCC0), ref: 00297868
                                            • Part of subcall function 0029782B: RtlWakeAllConditionVariable.NTDLL ref: 002978DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
                                          • String ID: W-$ W-$<W-
                                          • API String ID: 325507722-3979539279
                                          • Opcode ID: f3d14080981256ded8d4317e58718f8e1747f8f14259d62d243c3334aaca34d6
                                          • Instruction ID: 7ec2c057b886f978ce9ddd91873f54074949422055446e4bdc83a50eea8b9283
                                          • Opcode Fuzzy Hash: f3d14080981256ded8d4317e58718f8e1747f8f14259d62d243c3334aaca34d6
                                          • Instruction Fuzzy Hash: FF216BB1D36A10DBEB10DFA4E849B89BBE4E705324F20821AD428973D0D3F05D248B91
                                          Function 002880C5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002880CC
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002880D6
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00288127
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00288147
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: b5e8bd58709d98a4abff30db6f50bff032dbbbc2dbdd0de3f93701e69b5c3fcc
                                          • Instruction ID: 4ed452bf11198e275e039ec20e5a87a034d82861b2afc94be5a43584a7e1a15b
                                          • Opcode Fuzzy Hash: b5e8bd58709d98a4abff30db6f50bff032dbbbc2dbdd0de3f93701e69b5c3fcc
                                          • Instruction Fuzzy Hash: 6201D6799622699BCF01FB64DC596BD7761AF80310F68440AE4146B3D1DF709E22CF80
                                          Function 0028815A Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00288161
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0028816B
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 002881BC
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002881DC
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 2f28b5e08ff0d3d66b311d6cacf17927bd591e227761197253549097531db3e0
                                          • Instruction ID: 8a2118961a8ec5afa48131bb2b87b4987c2367d8fe2878f3705673a5ac649ab5
                                          • Opcode Fuzzy Hash: 2f28b5e08ff0d3d66b311d6cacf17927bd591e227761197253549097531db3e0
                                          • Instruction Fuzzy Hash: 3101D6399216299BCB01FB64D8496BE77A1AF84320F68450AF8146B3D1DF709E22CF80
                                          Function 002881EF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002881F6
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00288200
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00288251
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00288271
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: bea9445607a4c4f5a87b805365d4115ee161c84d928876022fe33b096b2878f9
                                          • Instruction ID: fe59623cc5bcf55589eeb7e38237e4a3da551b5f725e2b2dbdc31bbfbbfd9cf4
                                          • Opcode Fuzzy Hash: bea9445607a4c4f5a87b805365d4115ee161c84d928876022fe33b096b2878f9
                                          • Instruction Fuzzy Hash: 9B01C0399216698BCF02FFA4D8156BD7761AF80310F69440AE8146B2D2DF749E218F80
                                          Function 002879C9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 002879D0
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002879DA
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00287A2B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287A4B
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 6b7b9ab368318c639434dee7066fd0e64c451ad091408e58015f79af3db540b8
                                          • Instruction ID: 24ee16d7c1eb9138fc34242f828bd1db6d836948f4cfb5545b6453c658f86574
                                          • Opcode Fuzzy Hash: 6b7b9ab368318c639434dee7066fd0e64c451ad091408e58015f79af3db540b8
                                          • Instruction Fuzzy Hash: A701D6399252299BCB05FB64D8456BD7761AF90310F644509E9246B3D1DF709E218F80
                                          Function 00287A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287A65
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287A6F
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00287AC0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287AE0
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 5bf96774ada0cf29fee75a8a5b0878b452069fd268c7c26e2535cfaedb259a3d
                                          • Instruction ID: b25d20f34b570c7ec90d478ac62926d91a1cf00669efe59fdedc8658209edcb1
                                          • Opcode Fuzzy Hash: 5bf96774ada0cf29fee75a8a5b0878b452069fd268c7c26e2535cfaedb259a3d
                                          • Instruction Fuzzy Hash: EA01D2399252299BCB05FB64D8056AE7B61AF80310F28450AE4146B3D2DF709F21CF80
                                          Function 00287AF3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287AFA
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287B04
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00287B55
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287B75
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 2d34f17ffa73b900b44e090e3b8373386ab80df69cb525746bb7c5fb5ea36774
                                          • Instruction ID: 6118a4f7dcd971e9be0d1118b379e5c0fb332f8a324adbf35f57629c8f698ed8
                                          • Opcode Fuzzy Hash: 2d34f17ffa73b900b44e090e3b8373386ab80df69cb525746bb7c5fb5ea36774
                                          • Instruction Fuzzy Hash: BA01D6399211298BCB01FFA4D8156FE77B2AF80314F69450AE918AB3D1DF709E218F80
                                          Function 00287B88 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287B8F
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287B99
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00287BEA
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287C0A
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: ce102964c9d5bd3604257a475f4682d7a6bcd336a241e282f2eee596e20922b3
                                          • Instruction ID: 28ae8b4d55b7d7806c3a9e1502dcfce9abb6af1890da362f2209e0e04477a361
                                          • Opcode Fuzzy Hash: ce102964c9d5bd3604257a475f4682d7a6bcd336a241e282f2eee596e20922b3
                                          • Instruction Fuzzy Hash: 530192399256299BCF06FB64D8156BE7761AF90310F28440AE8146B3D2DF749E21CF90
                                          Function 00293CD4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00293CDB
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00293CE5
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00293D36
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00293D56
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 89d36b5d638834938a6249bf56269d53ecd221d64adc89403bc4f52f2d02dcaf
                                          • Instruction ID: 8d8add678e656dad877b1e83f8bd8238355b7a2fb3591fb66ee20da827d5e8a7
                                          • Opcode Fuzzy Hash: 89d36b5d638834938a6249bf56269d53ecd221d64adc89403bc4f52f2d02dcaf
                                          • Instruction Fuzzy Hash: 1801C0399242299FCF05FF64E8166AE7761AF80310F28450AE815AB3D1DF709E218F90
                                          Function 00287F06 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00287F0D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00287F17
                                            • Part of subcall function 0027BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0027BD10
                                            • Part of subcall function 0027BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0027BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00287F68
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00287F88
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 5f307adc927f2afaa0c8cc21acaf68264d7e9fe33bc7de5aa274f106fdaeb174
                                          • Instruction ID: 9eb3214cfd6a57fa81df9115292d69a96672e13e63193c00e395e0c6d96fd3f5
                                          • Opcode Fuzzy Hash: 5f307adc927f2afaa0c8cc21acaf68264d7e9fe33bc7de5aa274f106fdaeb174
                                          • Instruction Fuzzy Hash: 9A01D2399216299BCB06FFA4D8156BE7771AF84310F38850AF9146B3D2DF749E218F80
                                          Function 00285C66 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00285C6D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00285C78
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00285CE6
                                            • Part of subcall function 00285DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00285DE0
                                          • std::locale::_Setgloballocale.LIBCPMT ref: 00285C93
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                          • String ID:
                                          • API String ID: 677527491-0
                                          • Opcode ID: db2e8c88cc1c1e199ea2a093790b9931527fd52c33dd71c3319ef2625a1da0c3
                                          • Instruction ID: 96a8a7113b44539b8ac779a6fb903a8757679f3f66a1fc23d3ef0907663379b8
                                          • Opcode Fuzzy Hash: db2e8c88cc1c1e199ea2a093790b9931527fd52c33dd71c3319ef2625a1da0c3
                                          • Instruction Fuzzy Hash: 4501B179A12A618BDB06BF20EC4957D7BA1BF85740B18400AEC1157381CF746E22DFC1
                                          Function 002B8C76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,002B8643,?,00000001,?,?,?,002B7788,?,?,00000000), ref: 002B8C8D
                                          • GetLastError.KERNEL32(?,002B8643,?,00000001,?,?,?,002B7788,?,?,00000000,?,?,?,002B7D0F,?), ref: 002B8C99
                                            • Part of subcall function 002B8C5F: CloseHandle.KERNEL32(FFFFFFFE,002B8CA9,?,002B8643,?,00000001,?,?,?,002B7788,?,?,00000000,?,?), ref: 002B8C6F
                                          • ___initconout.LIBCMT ref: 002B8CA9
                                            • Part of subcall function 002B8C21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002B8C50,002B8630,?,?,002B7788,?,?,00000000,?), ref: 002B8C34
                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,002B8643,?,00000001,?,?,?,002B7788,?,?,00000000,?), ref: 002B8CBE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                          • String ID:
                                          • API String ID: 2744216297-0
                                          • Opcode ID: a685cdedd6a27bf371a03267fffc682062ee29b339946cd3abce3a65bfabb1e4
                                          • Instruction ID: 9c02cdd5ebfd876851e9e4f7e45bc9f4d9ad6f98b4ed7746503cade13bf035bb
                                          • Opcode Fuzzy Hash: a685cdedd6a27bf371a03267fffc682062ee29b339946cd3abce3a65bfabb1e4
                                          • Instruction Fuzzy Hash: BEF01C76521166BBCF266FD5EC089C93F6AEF087A0F104511FE5D95130DA32C920EFA1
                                          Function 002978FD Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • SleepConditionVariableCS.KERNELBASE(?,0029789A,00000064), ref: 00297920
                                          • LeaveCriticalSection.KERNEL32(002D4AF8,?,?,0029789A,00000064,?,?,002725B6,002D571C,253C4779,?,00000000,002B93ED,000000FF,?,00271A26), ref: 0029792A
                                          • WaitForSingleObjectEx.KERNEL32(?,00000000,?,0029789A,00000064,?,?,002725B6,002D571C,253C4779,?,00000000,002B93ED,000000FF,?,00271A26), ref: 0029793B
                                          • EnterCriticalSection.KERNEL32(002D4AF8,?,0029789A,00000064,?,?,002725B6,002D571C,253C4779,?,00000000,002B93ED,000000FF,?,00271A26), ref: 00297942
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                          • String ID:
                                          • API String ID: 3269011525-0
                                          • Opcode ID: bc0a3ad74bd1dfdfe1a2b45918c56c13f71b0566514b9b300cfe243c9491dc5a
                                          • Instruction ID: 56306230a79e7b783d55719c7a9186a1f7d32c04074249cf75520c0321cda01c
                                          • Opcode Fuzzy Hash: bc0a3ad74bd1dfdfe1a2b45918c56c13f71b0566514b9b300cfe243c9491dc5a
                                          • Instruction Fuzzy Hash: C3E092369E5125A7CB013B50FC1CADD3F14EB05751B014222F909662A0CBB14C208BD8
                                          Function 002B1DAF Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: p0-$p0-
                                          • API String ID: 0-2904021490
                                          • Opcode ID: 5503a2ceb563f9d3bffdd981a8368a0bb7691835778fe5418b2ca89bac129a90
                                          • Instruction ID: 2e91758ae5f8154c618d1aeef7bb63e044f23888ee1404fb10474f8997dbd64e
                                          • Opcode Fuzzy Hash: 5503a2ceb563f9d3bffdd981a8368a0bb7691835778fe5418b2ca89bac129a90
                                          • Instruction Fuzzy Hash: BCC164B2E50209AFDB20DBA8CD42FEFB7F8AF09750F150165FE05EB282D67099549B50
                                          Function 00296C34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 3732870572-1956417402
                                          • Opcode ID: cb60503385298ffc748e8bc342a6e8394ed888c2b855e920aa13f4e59b22182e
                                          • Instruction ID: 2dddf1cf037ea8540b54598b4cd6dbcb52ec6ee44f9ffae72d74d641a4131607
                                          • Opcode Fuzzy Hash: cb60503385298ffc748e8bc342a6e8394ed888c2b855e920aa13f4e59b22182e
                                          • Instruction Fuzzy Hash: BF51F770B2425A5FDF258E6D885D7BEBBFAAF46310F14406FE4D1D7241C2B489628B60
                                          Function 0027F860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::cancel_current_task.LIBCPMT ref: 0027FA3E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Concurrency::cancel_current_task
                                          • String ID: false$true
                                          • API String ID: 118556049-2658103896
                                          • Opcode ID: af4b631fcb2883f35b7193716c2fe6736090a1e6fbe9dd2d54f6155505980ad9
                                          • Instruction ID: 05ef34917a7934e08db10d4afa3dafba022537eacab4e08126a434d04212ead0
                                          • Opcode Fuzzy Hash: af4b631fcb2883f35b7193716c2fe6736090a1e6fbe9dd2d54f6155505980ad9
                                          • Instruction Fuzzy Hash: EE51F9B1D10348DFDB10DFA4C945BEEB7B8FF09304F14826AE849A7281E774A955CB51
                                          Function 002922AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 002922B1
                                          • _swprintf.LIBCMT ref: 00292329
                                            • Part of subcall function 0028780A: __EH_prolog3.LIBCMT ref: 00287811
                                            • Part of subcall function 0028780A: std::_Lockit::_Lockit.LIBCPMT ref: 0028781B
                                            • Part of subcall function 0028780A: std::_Lockit::~_Lockit.LIBCPMT ref: 0028788C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 2348759532-1402515088
                                          • Opcode ID: afdc26c872c86bf7169973b906718de6aba6a96b521b78665dfd5a7df1b26ad7
                                          • Instruction ID: eef917b0473eb909d731ca85442254219c9b506cc5db54ffbc2aa64b398f5dc1
                                          • Opcode Fuzzy Hash: afdc26c872c86bf7169973b906718de6aba6a96b521b78665dfd5a7df1b26ad7
                                          • Instruction Fuzzy Hash: CE516D71D20258EBCF05EFE4D845ADDBBB9FF08300F208559E906AB295EB749929CF50
                                          Function 0029258E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00292595
                                          • _swprintf.LIBCMT ref: 0029260D
                                            • Part of subcall function 0027B500: std::_Lockit::_Lockit.LIBCPMT ref: 0027B52D
                                            • Part of subcall function 0027B500: std::_Lockit::_Lockit.LIBCPMT ref: 0027B550
                                            • Part of subcall function 0027B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0027B578
                                            • Part of subcall function 0027B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0027B617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 1487807907-1402515088
                                          • Opcode ID: 4219121870b889ec6348f5a0af077c77748bad4339d6f8d8f3ca2cf632f6a73c
                                          • Instruction ID: 5110326eb99dc8789f54d83eaa79135dc2aa61cfe6cfc203e99586e95e76148c
                                          • Opcode Fuzzy Hash: 4219121870b889ec6348f5a0af077c77748bad4339d6f8d8f3ca2cf632f6a73c
                                          • Instruction Fuzzy Hash: 8C517E71D20208EBCF09DFE4D855ADDBBB9FF08300F208419E906AB295EB759929CF50
                                          Function 00296607 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 0029660E
                                          • _swprintf.LIBCMT ref: 00296686
                                            • Part of subcall function 0027C590: std::_Lockit::_Lockit.LIBCPMT ref: 0027C5BD
                                            • Part of subcall function 0027C590: std::_Lockit::_Lockit.LIBCPMT ref: 0027C5E0
                                            • Part of subcall function 0027C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0027C608
                                            • Part of subcall function 0027C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0027C6A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 1487807907-1402515088
                                          • Opcode ID: 2f184898a109729a6ba6c946baa60a1c23b731b3ca846e4040d5b9ed47119a7b
                                          • Instruction ID: da1bbf38a85f1a0844524681aa0b1d54f08ca574d25ce6ca86e938d79efb4930
                                          • Opcode Fuzzy Hash: 2f184898a109729a6ba6c946baa60a1c23b731b3ca846e4040d5b9ed47119a7b
                                          • Instruction Fuzzy Hash: 60515F71D20208EBDF09DFE4D849ADDBBB9FF08300F20851AE506AB295EB759965CF50
                                          Function 00279620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \\?\$\\?\UNC\
                                          • API String ID: 0-3019864461
                                          • Opcode ID: f80a7968b264a55c7059d41160e8c501cfc6e7ad5d5af96db7e9be0a2673454c
                                          • Instruction ID: d4f882613a9e016a5a92a71a7f24993f2faeb95807701c445f8a8547f54947cf
                                          • Opcode Fuzzy Hash: f80a7968b264a55c7059d41160e8c501cfc6e7ad5d5af96db7e9be0a2673454c
                                          • Instruction Fuzzy Hash: 54519270920305DBDB14CF64C985BAEB7B9FF95314F10861DE805B7280DB75A9D4CB94
                                          Function 00273D60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00273DA3
                                          • CertGetNameStringW.CRYPT32(000000FF,00000004,00000000,00000000,00000010,000000FF), ref: 00273E3F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CertNameString
                                          • String ID: x-'
                                          • API String ID: 149855834-545460094
                                          • Opcode ID: 6394ef777dfae5dc009287ddec3b076df9426575d0eb6bf68ac0ea6653053b34
                                          • Instruction ID: 8116becc04a1e6f4b89c9b33a4ecf747c95d9d36caa8add0783d5a6f00cdccbb
                                          • Opcode Fuzzy Hash: 6394ef777dfae5dc009287ddec3b076df9426575d0eb6bf68ac0ea6653053b34
                                          • Instruction Fuzzy Hash: 6341AF74A10606DFD714DF68CC05BAAFBB5FF84314F20861AE919A7390E7B1AA50CB90
                                          Function 0029B5D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • EncodePointer.KERNEL32(00000000,?), ref: 0029B5F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: EncodePointer
                                          • String ID: MOC$RCC
                                          • API String ID: 2118026453-2084237596
                                          • Opcode ID: 3440ddecc6ab3ac55ce8df010f9a0d9811d2308020b17fe92735df527865e857
                                          • Instruction ID: 6f5a8f41f86d0e085fb1b5f6de632f0d290cbe7caad3dec2596094bd7a9ea9c8
                                          • Opcode Fuzzy Hash: 3440ddecc6ab3ac55ce8df010f9a0d9811d2308020b17fe92735df527865e857
                                          • Instruction Fuzzy Hash: 7D416B7191020AAFCF16DF98DE85AEEBBB9FF48304F188169F90467221D735A960DF50
                                          Function 0029217C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00292183
                                            • Part of subcall function 0028780A: __EH_prolog3.LIBCMT ref: 00287811
                                            • Part of subcall function 0028780A: std::_Lockit::_Lockit.LIBCPMT ref: 0028781B
                                            • Part of subcall function 0028780A: std::_Lockit::~_Lockit.LIBCPMT ref: 0028788C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
                                          • String ID: %.0Lf$0123456789-
                                          • API String ID: 2728201062-3094241602
                                          • Opcode ID: d4f419cd30eaa727520e3cc999399df2430639666e8afa159f335c10e78442e2
                                          • Instruction ID: 3c30079f5af3a46a55cbd2213c5f3a1c9c0f59565ec8b21bc3e0f74abcba7a2e
                                          • Opcode Fuzzy Hash: d4f419cd30eaa727520e3cc999399df2430639666e8afa159f335c10e78442e2
                                          • Instruction Fuzzy Hash: 56416A35921219DFCF05EFA4C8809DDBBB9FF09310F140129E815AB255DB30996ACF54
                                          Function 00292460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00292467
                                            • Part of subcall function 0027B500: std::_Lockit::_Lockit.LIBCPMT ref: 0027B52D
                                            • Part of subcall function 0027B500: std::_Lockit::_Lockit.LIBCPMT ref: 0027B550
                                            • Part of subcall function 0027B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0027B578
                                            • Part of subcall function 0027B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0027B617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                          • String ID: 0123456789-$0123456789-
                                          • API String ID: 2088892359-2494171821
                                          • Opcode ID: 8d42b6a406cd6e8f85444f03f9f9365bd206b8293211d8c6bbdf73d213c18799
                                          • Instruction ID: 2ec1fd5a9b8156b55215083ab8ee9f3b678202cdd44616ccfa27e1e8f42b0686
                                          • Opcode Fuzzy Hash: 8d42b6a406cd6e8f85444f03f9f9365bd206b8293211d8c6bbdf73d213c18799
                                          • Instruction Fuzzy Hash: 8B416D31920118DFCF05EFA8D8919EDBBB9FF08310F554069F805AB251DB309969CF55
                                          Function 002964DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 002964E2
                                            • Part of subcall function 0027C590: std::_Lockit::_Lockit.LIBCPMT ref: 0027C5BD
                                            • Part of subcall function 0027C590: std::_Lockit::_Lockit.LIBCPMT ref: 0027C5E0
                                            • Part of subcall function 0027C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0027C608
                                            • Part of subcall function 0027C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0027C6A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                          • String ID: 0123456789-$0123456789-
                                          • API String ID: 2088892359-2494171821
                                          • Opcode ID: cd31af71efa6fcb55681df24328de1fce4e89dfd3c72d52e3eff813f1d625545
                                          • Instruction ID: 261c15f4c74ee37fe84a4365b9d4079520bbf5e80b8edc7affb86026f0134d01
                                          • Opcode Fuzzy Hash: cd31af71efa6fcb55681df24328de1fce4e89dfd3c72d52e3eff813f1d625545
                                          • Instruction Fuzzy Hash: 9D417C31D10209AFCF09EFA4D895AEE7BB9EF08310F51405AF815A7255DB309E25CF51
                                          Function 002967B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: H_prolog3___cftoe
                                          • String ID: !%x
                                          • API String ID: 855520168-1893981228
                                          • Opcode ID: 47f9db3c82048a30ae3b3f427bb6d39eaa0039dc515baa14526f07426c1b9dcf
                                          • Instruction ID: 5cd5274f5fc9d0151fc2d672a3605f2b866149100c40c3ae0feeaec38c73ff48
                                          • Opcode Fuzzy Hash: 47f9db3c82048a30ae3b3f427bb6d39eaa0039dc515baa14526f07426c1b9dcf
                                          • Instruction Fuzzy Hash: F9413670E2024AEFDF04DFA8D885AEEBBB5BF08300F044429F955A7242D7309A25CF61
                                          Function 00292DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: H_prolog3___cftoe
                                          • String ID: !%x
                                          • API String ID: 855520168-1893981228
                                          • Opcode ID: fb1cf26ead24d420f018ebc6ebf386080aba50498f0e30c191e575cef42c921d
                                          • Instruction ID: adf871c1032d96da67a53ce9704e3bace27d4fc626653079460f8126a2e36d17
                                          • Opcode Fuzzy Hash: fb1cf26ead24d420f018ebc6ebf386080aba50498f0e30c191e575cef42c921d
                                          • Instruction Fuzzy Hash: DB313C75A21209EBDF04DFA4D981AEEB7B6FF48304F204429F945AB251E734AE25CF50
                                          Function 0027D5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: _swprintf
                                          • String ID: %$+
                                          • API String ID: 589789837-2626897407
                                          • Opcode ID: 01ca56a6f7b6debfad665e209e7a7012e2f6cd3956f75c4ceee90ed34c49a683
                                          • Instruction ID: a20c9e37f4ced9c7a8f3a1f423c7fe39ef3740577226dccf314cdd5abc05226c
                                          • Opcode Fuzzy Hash: 01ca56a6f7b6debfad665e209e7a7012e2f6cd3956f75c4ceee90ed34c49a683
                                          • Instruction Fuzzy Hash: 512105711183459FD711CF18D859B9BBBE9AF89304F04C55DFA9887282D734D928CBA3
                                          Function 0027D6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: _swprintf
                                          • String ID: %$+
                                          • API String ID: 589789837-2626897407
                                          • Opcode ID: 0a986f174a6e1d7a4058dd0ac3bb0cb00af6b4fc22f3c04e9b47d69819f3ffb3
                                          • Instruction ID: b08006ce6e9172504314c03c830dd8564140607cdfc99d636eb0d5f8d09174db
                                          • Opcode Fuzzy Hash: 0a986f174a6e1d7a4058dd0ac3bb0cb00af6b4fc22f3c04e9b47d69819f3ffb3
                                          • Instruction Fuzzy Hash: 7C21B2752183459FE715CF14C845B9BBBE9AF85300F04C81DF99487292C774D918CBA7
                                          Function 0027D7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: _swprintf
                                          • String ID: %$+
                                          • API String ID: 589789837-2626897407
                                          • Opcode ID: 868e954d804f68f75b2d9b0af62c0f50b29aef74e8e4a5096921f5aa9c138f3d
                                          • Instruction ID: 193e1a624685365c486c3f7172b560dfb0764a89a94a83cb5f8d047f2a68fc98
                                          • Opcode Fuzzy Hash: 868e954d804f68f75b2d9b0af62c0f50b29aef74e8e4a5096921f5aa9c138f3d
                                          • Instruction Fuzzy Hash: B221B2712183459FE711CF18D845B9BBBE9AF85300F04C81DF99897292C774D919CBA7
                                          Function 00271CB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00281EC4: EnterCriticalSection.KERNEL32(002D4844,?,?,?,00271CE7,00000000,253C4779,?,?,?,?,-00000010,002B9340,000000FF,?,0027202C), ref: 00281ECF
                                            • Part of subcall function 00281EC4: LeaveCriticalSection.KERNEL32(002D4844,?,?,00271CE7,00000000,253C4779,?,?,?,?,-00000010,002B9340,000000FF,?,0027202C), ref: 00281EFB
                                          • FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,253C4779,?,?,?,?,-00000010,002B9340,000000FF,?,0027202C), ref: 00271D06
                                            • Part of subcall function 00271D70: LoadResource.KERNEL32(00000000,00000000,253C4779,00000001,00000000,?,00000000,002B9360,000000FF,?,00271D1C,00000010,?,?,?,-00000010), ref: 00271D9B
                                            • Part of subcall function 00271D70: LockResource.KERNEL32(00000000,?,00271D1C,00000010,?,?,?,-00000010,002B9340,000000FF,?,0027202C,?,00000000,002B938D,000000FF), ref: 00271DA6
                                            • Part of subcall function 00271D70: SizeofResource.KERNEL32(00000000,00000000,?,00271D1C,00000010,?,?,?,-00000010,002B9340,000000FF,?,0027202C,?,00000000,002B938D), ref: 00271DB4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
                                          • String ID: 0H-$0H-
                                          • API String ID: 529824247-2568051993
                                          • Opcode ID: aa0bdbdb252109be34f1681682baaea55cc646bbf6ee6b70e78b8c2232b7f5a6
                                          • Instruction ID: 9b28a84a51ef376604f40f4634eedf586c81dbf1fbe123c89b12944dc0da70b7
                                          • Opcode Fuzzy Hash: aa0bdbdb252109be34f1681682baaea55cc646bbf6ee6b70e78b8c2232b7f5a6
                                          • Instruction Fuzzy Hash: DC113D36F142156BD7259F19AC41B7AB3ECEB49764F00423EED09D33C0DA359C208A90
                                          Function 002780D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00278116
                                          • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,253C4779), ref: 00278185
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: ConvertFreeLocalString
                                          • String ID: Invalid SID
                                          • API String ID: 3201929900-130637731
                                          • Opcode ID: dd005437d68ca8193c9150027a5443739667e76800f15a58e1c18591b62e6586
                                          • Instruction ID: 568436c477633f8b624f2734144ea52d51c26ebc262c64b03acb11ff8458e9c5
                                          • Opcode Fuzzy Hash: dd005437d68ca8193c9150027a5443739667e76800f15a58e1c18591b62e6586
                                          • Instruction Fuzzy Hash: 5321C074A103059BDB10CF58C819BAFFBB8FF44B04F10861EE809A7280DBB56A458BD0
                                          Function 0027C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027C16B
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0027C1CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                          • String ID: bad locale name
                                          • API String ID: 3988782225-1405518554
                                          • Opcode ID: 6f6fb21107279bc2953b604f09376cff6fc42847a356c8051e627428ce7f4c17
                                          • Instruction ID: 2ba5aa5a14fcbef9d4993b8336b1ff9abfa13450ca0a4c69393046a3d111853a
                                          • Opcode Fuzzy Hash: 6f6fb21107279bc2953b604f09376cff6fc42847a356c8051e627428ce7f4c17
                                          • Instruction Fuzzy Hash: A7210270815B84DED721CF68C90474BBFF4EF15310F10869EE48997781D3B5AA08CBA1
                                          Function 00297708 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00297BCF
                                          • ___raise_securityfailure.LIBCMT ref: 00297CB7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                          • String ID: @K-
                                          • API String ID: 3761405300-3649674857
                                          • Opcode ID: 8608598822e24d91abdba8e374bb329836d5401f57e5abfed698ce84f9a5edb5
                                          • Instruction ID: 16a1f126066f5a440463293b4731988c611dded9caaa06007c9c1311b92595d2
                                          • Opcode Fuzzy Hash: 8608598822e24d91abdba8e374bb329836d5401f57e5abfed698ce84f9a5edb5
                                          • Instruction Fuzzy Hash: C621F5B8D232049BD724EF59F99D7547BE4BB18718F50842BE9489B3A0DBB09D408F49
                                          Function 00284077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: H_prolog3_
                                          • String ID: false$true
                                          • API String ID: 2427045233-2658103896
                                          • Opcode ID: a4c273ec6795beeb725e3c05db740b615608b9fa6c42e633178deb5cecf5c543
                                          • Instruction ID: 3abd8b34bcd1824b0745c6a84651253dc02c9385f57d3c00b16d6d59fdb161b5
                                          • Opcode Fuzzy Hash: a4c273ec6795beeb725e3c05db740b615608b9fa6c42e633178deb5cecf5c543
                                          • Instruction Fuzzy Hash: E911D375D11745AFC721EFB4D852B8AB7F4AF09300F04852AE4A98B281EB70E524CF50
                                          Function 00297CCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00297CD5
                                          • ___raise_securityfailure.LIBCMT ref: 00297D92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                          • String ID: @K-
                                          • API String ID: 3761405300-3649674857
                                          • Opcode ID: 524864250d673b08d3f52d3246c5e4933176998eef31c0a8ed24e20fb7e6d46f
                                          • Instruction ID: 3bbfaa50fbfc17cbb0910b85edb6181962a936aee1df59ffb0cf21bca7a5f59e
                                          • Opcode Fuzzy Hash: 524864250d673b08d3f52d3246c5e4933176998eef31c0a8ed24e20fb7e6d46f
                                          • Instruction Fuzzy Hash: 2E11A2B8D332049BD725EF69F9896447BA4BB18718B41501BE84897360EBB0AD41CF59
                                          Function 00281E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00280B00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,253C4779,?,002B93B0,000000FF), ref: 00280B27
                                            • Part of subcall function 00280B00: GetLastError.KERNEL32(?,00000000,00000000,253C4779,?,002B93B0,000000FF), ref: 00280B31
                                          • IsDebuggerPresent.KERNEL32(?,?,002CFAD8), ref: 00281E48
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,002CFAD8), ref: 00281E57
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00281E52
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2085643553.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                          • Associated: 00000004.00000002.2085475875.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085776700.00000000002BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085803816.00000000002D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2085837152.00000000002D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_270000_MSIBA7.jbxd
                                          Similarity
                                          • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 3511171328-631824599
                                          • Opcode ID: 380aa6280b6459fbc3918d2c99bbd091968be425b53e7d872163dac6317d2707
                                          • Instruction ID: f7a636e8f938a568b291d91cf337d48a85a86fbafb9d50645b4980d3bf09a42c
                                          • Opcode Fuzzy Hash: 380aa6280b6459fbc3918d2c99bbd091968be425b53e7d872163dac6317d2707
                                          • Instruction Fuzzy Hash: B2E0ED346217028FD360BF28E4087C2BBE8AB00744F00881DE885C2282E7B0E828CF51

                                          Execution Graph

                                          Execution Coverage:1.2%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:343
                                          Total number of Limit Nodes:8
                                          execution_graph 34781 917f70 34784 917fd0 GetTokenInformation 34781->34784 34785 917fa8 34784->34785 34786 91804e GetLastError 34784->34786 34786->34785 34787 918059 34786->34787 34788 91809e GetTokenInformation 34787->34788 34789 918069 _Getvals 34787->34789 34790 918079 34787->34790 34788->34785 34789->34788 34793 918260 45 API calls 3 library calls 34790->34793 34792 918082 34792->34788 34793->34792 34794 937e5e 34795 937e6a __FrameHandler3::FrameUnwindToState 34794->34795 34820 9379c1 34795->34820 34797 937e71 34798 937fc4 34797->34798 34808 937e9b ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 34797->34808 34866 9383bd 4 API calls 2 library calls 34798->34866 34800 937fcb 34867 94854c 23 API calls std::locale::_Setgloballocale 34800->34867 34802 937fd1 34868 948510 23 API calls std::locale::_Setgloballocale 34802->34868 34804 937fd9 34805 937eba 34806 937f3b 34831 9384d8 34806->34831 34808->34805 34808->34806 34865 948526 41 API calls 4 library calls 34808->34865 34809 937f41 34835 921a20 GetCommandLineW 34809->34835 34821 9379ca 34820->34821 34869 93801c IsProcessorFeaturePresent 34821->34869 34823 9379d6 34870 93ae59 10 API calls 2 library calls 34823->34870 34825 9379db 34830 9379df 34825->34830 34871 948fb0 34825->34871 34827 9379f6 34827->34797 34830->34797 34930 938e90 34831->34930 34833 9384eb GetStartupInfoW 34834 9384fe 34833->34834 34834->34809 34836 921a60 34835->34836 34931 914ec0 LocalAlloc 34836->34931 34838 921a71 34932 918ba0 34838->34932 34840 921ac9 34841 921add 34840->34841 34842 921acd 34840->34842 34940 920b70 LocalAlloc LocalAlloc 34841->34940 34987 918790 81 API calls __ehhandler$___std_fs_change_permissions@12 34842->34987 34845 921ad6 34847 921c26 ExitProcess 34845->34847 34846 921ae9 34941 920e90 34846->34941 34853 921b2b 34959 91ae00 34853->34959 34855 921b82 34856 921bb4 34855->34856 34857 9129d0 44 API calls 34855->34857 34860 921c08 34856->34860 34965 918e20 34856->34965 34857->34856 34859 921bef 34859->34860 34988 921400 CreateFileW SetFilePointer WriteFile CloseHandle 34859->34988 34989 914000 42 API calls 34860->34989 34863 921c17 34990 921c30 LocalFree LocalFree 34863->34990 34865->34806 34866->34800 34867->34802 34868->34804 34869->34823 34870->34825 34875 95154e 34871->34875 34874 93ae78 7 API calls 2 library calls 34874->34830 34876 95155e 34875->34876 34877 9379e8 34875->34877 34876->34877 34879 94c2f6 34876->34879 34877->34827 34877->34874 34880 94c302 __FrameHandler3::FrameUnwindToState 34879->34880 34891 9472ca EnterCriticalSection 34880->34891 34882 94c309 34892 951abc 34882->34892 34885 94c327 34907 94c34d LeaveCriticalSection std::_Lockit::~_Lockit 34885->34907 34888 94c322 34906 94c246 GetStdHandle GetFileType 34888->34906 34889 94c338 34889->34876 34891->34882 34893 951ac8 __FrameHandler3::FrameUnwindToState 34892->34893 34894 951ad1 34893->34894 34895 951af2 34893->34895 34916 93c6b0 14 API calls __dosmaperr 34894->34916 34908 9472ca EnterCriticalSection 34895->34908 34898 951ad6 34917 93c5b2 41 API calls ___std_exception_copy 34898->34917 34900 94c318 34900->34885 34905 94c190 44 API calls 34900->34905 34901 951b2a 34918 951b51 LeaveCriticalSection std::_Lockit::~_Lockit 34901->34918 34902 951afe 34902->34901 34909 951a0c 34902->34909 34905->34888 34906->34885 34907->34889 34908->34902 34919 94c72b 34909->34919 34911 951a2b 34927 94aa28 14 API calls __dosmaperr 34911->34927 34913 951a1e 34913->34911 34926 94cddf 6 API calls std::_Locinfo::_Locinfo_ctor 34913->34926 34915 951a80 34915->34902 34916->34898 34917->34900 34918->34900 34925 94c738 __cftoe 34919->34925 34920 94c778 34929 93c6b0 14 API calls __dosmaperr 34920->34929 34921 94c763 RtlAllocateHeap 34923 94c776 34921->34923 34921->34925 34923->34913 34925->34920 34925->34921 34928 9515f6 EnterCriticalSection LeaveCriticalSection __cftoe 34925->34928 34926->34913 34927->34915 34928->34925 34929->34923 34930->34833 34931->34838 34933 918bf2 34932->34933 34934 918c34 34933->34934 34937 918c22 34933->34937 34935 937708 __ehhandler$___std_fs_change_permissions@12 5 API calls 34934->34935 34936 918c42 34935->34936 34936->34840 34991 937708 34937->34991 34939 918c30 34939->34840 34940->34846 34942 920ea4 34941->34942 34946 921242 34941->34946 34943 9212a0 34942->34943 34942->34946 34999 9183e0 14 API calls 34943->34999 34945 9212b0 RegOpenKeyExW 34945->34946 34947 9212ce RegQueryValueExW 34945->34947 34948 9129d0 34946->34948 34947->34946 34949 9129f1 34948->34949 34949->34949 35000 913b40 34949->35000 34951 912a09 34952 919110 34951->34952 35019 912a10 34952->35019 34954 919156 35037 9198d0 34954->35037 34960 91ae0a 34959->34960 34961 91ae0d 34959->34961 34960->34855 34962 91ae1a ___vcrt_FlsFree 34961->34962 35085 940f1e 42 API calls 2 library calls 34961->35085 34962->34855 34964 91ae2d 34964->34855 34966 918e54 34965->34966 34967 918e69 34965->34967 34966->34859 35086 915f90 GetCurrentProcess OpenProcessToken 34967->35086 34969 918e7c 34970 918f3e 34969->34970 34972 918e96 34969->34972 34971 911fc0 66 API calls 34970->34971 34973 918f65 34971->34973 35091 911fc0 34972->35091 34975 911fc0 66 API calls 34973->34975 34977 918f7a 34975->34977 34976 918eaa 34978 911fc0 66 API calls 34976->34978 34979 911fc0 66 API calls 34977->34979 34980 918ec7 34978->34980 34981 918f8b 34979->34981 34982 911fc0 66 API calls 34980->34982 35157 917660 34981->35157 34984 918ed5 34982->34984 35110 916ee0 34984->35110 34986 918eed 34986->34859 34987->34845 34988->34860 34989->34863 34990->34847 34992 937711 IsProcessorFeaturePresent 34991->34992 34993 937710 34991->34993 34995 937bd9 34992->34995 34993->34939 34998 937b9c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 34995->34998 34997 937cbc 34997->34939 34998->34997 34999->34945 35001 913c15 35000->35001 35003 913b54 35000->35003 35017 913680 42 API calls collate 35001->35017 35002 913b60 _Yarn 35002->34951 35003->35002 35005 913b8d 35003->35005 35008 913c10 35003->35008 35011 913bd7 35003->35011 35005->35008 35012 913bbf LocalAlloc 35005->35012 35006 913c1a 35018 93c5c2 41 API calls 2 library calls 35006->35018 35016 913af0 RaiseException _com_raise_error collate 35008->35016 35014 913bdb LocalAlloc 35011->35014 35015 913be8 _Yarn 35011->35015 35012->35006 35013 913bcc 35012->35013 35013->35015 35014->35015 35015->34951 35020 912a36 35019->35020 35021 912afc 35020->35021 35022 912a52 _Yarn 35020->35022 35024 912a77 35020->35024 35027 912af7 35020->35027 35028 912ac1 35020->35028 35075 913680 42 API calls collate 35021->35075 35022->34954 35024->35027 35029 912aa9 LocalAlloc 35024->35029 35025 912b01 35076 93c5c2 41 API calls 2 library calls 35025->35076 35074 913af0 RaiseException _com_raise_error collate 35027->35074 35032 912ac5 LocalAlloc 35028->35032 35036 912ad2 _Yarn 35028->35036 35029->35025 35031 912ab6 35029->35031 35031->35036 35032->35036 35036->34954 35038 91992a ___vcrt_FlsFree 35037->35038 35043 919a92 ___vcrt_FlsFree 35037->35043 35041 919955 35038->35041 35038->35043 35039 919a79 35040 937708 __ehhandler$___std_fs_change_permissions@12 5 API calls 35039->35040 35042 91916b 35040->35042 35044 919bd1 35041->35044 35045 919972 35041->35045 35064 919bf0 35042->35064 35043->35039 35046 919bdb 35043->35046 35047 919aeb 35043->35047 35080 914650 42 API calls 35044->35080 35048 913b40 44 API calls 35045->35048 35082 914650 42 API calls 35046->35082 35052 913b40 44 API calls 35047->35052 35053 919996 35048->35053 35050 919bd6 35081 93c5c2 41 API calls 2 library calls 35050->35081 35056 919b0f 35052->35056 35077 919ef0 45 API calls _Yarn 35053->35077 35079 913cc0 42 API calls collate 35056->35079 35059 9199b1 35078 913cc0 42 API calls collate 35059->35078 35061 9199fa 35061->35039 35061->35050 35062 919a6e 35061->35062 35062->35039 35063 919a72 LocalFree 35062->35063 35063->35039 35073 919c6c _Yarn 35064->35073 35065 919183 35065->34853 35066 919e96 35066->35065 35068 919eb0 LocalFree 35066->35068 35067 919ee0 35083 93c5c2 41 API calls 2 library calls 35067->35083 35068->35065 35070 919ee5 35084 914650 42 API calls 35070->35084 35073->35065 35073->35066 35073->35067 35073->35070 35077->35059 35078->35061 35079->35039 35085->34964 35087 915fb1 35086->35087 35088 915fb7 GetTokenInformation 35086->35088 35087->34969 35089 915fe6 35088->35089 35090 915fee CloseHandle 35088->35090 35089->35090 35090->34969 35206 912510 35091->35206 35094 9120ea 35225 911910 LocalFree RaiseException _com_raise_error 35094->35225 35096 91208f 35101 91209f 35096->35101 35226 911910 LocalFree RaiseException _com_raise_error 35096->35226 35098 911ffa 35098->35101 35221 911cb0 9 API calls 35098->35221 35099 9120fe 35101->34976 35102 91202c 35102->35101 35103 912036 FindResourceW 35102->35103 35103->35101 35104 91204e 35103->35104 35222 911d70 LockResource SizeofResource 35104->35222 35106 912058 35106->35101 35107 91207f 35106->35107 35223 912750 41 API calls 35106->35223 35224 93c995 41 API calls 3 library calls 35107->35224 35111 915f90 4 API calls 35110->35111 35112 916f2d 35111->35112 35113 916f33 35112->35113 35114 916f55 CoInitialize CoCreateInstance 35112->35114 35115 917660 89 API calls 35113->35115 35116 916f98 VariantInit 35114->35116 35117 916f8f 35114->35117 35118 916f4d 35115->35118 35119 916fde 35116->35119 35117->35118 35121 9174f6 CoUninitialize 35117->35121 35120 937708 __ehhandler$___std_fs_change_permissions@12 5 API calls 35118->35120 35122 916ff1 IUnknown_QueryService 35119->35122 35130 916fe8 VariantClear 35119->35130 35123 917516 35120->35123 35121->35118 35125 917020 35122->35125 35122->35130 35123->34986 35126 917071 IUnknown_QueryInterface_Proxy 35125->35126 35125->35130 35127 91709a 35126->35127 35126->35130 35128 9170bf IUnknown_QueryInterface_Proxy 35127->35128 35127->35130 35129 9170e8 CoAllowSetForegroundWindow 35128->35129 35128->35130 35131 917102 SysAllocString 35129->35131 35132 917168 SysAllocString 35129->35132 35130->35117 35135 917138 SysAllocString 35131->35135 35136 91712f 35131->35136 35132->35131 35134 91751f _com_issue_error 35132->35134 35238 911910 LocalFree RaiseException _com_raise_error 35134->35238 35138 91717d VariantInit 35135->35138 35139 91715d 35135->35139 35136->35134 35136->35135 35143 9171fd 35138->35143 35139->35134 35139->35138 35140 917533 35140->34986 35141 917201 VariantClear VariantClear VariantClear VariantClear SysFreeString 35141->35130 35143->35141 35154 91724b 35143->35154 35144 913b40 44 API calls 35144->35154 35148 91751a 35237 93c5c2 41 API calls 2 library calls 35148->35237 35149 9172ef LocalFree 35149->35154 35151 917344 OpenProcess WaitForSingleObject 35153 91737a GetExitCodeProcess 35151->35153 35151->35154 35153->35154 35154->35141 35154->35143 35154->35144 35154->35148 35154->35149 35154->35151 35155 917394 CloseHandle 35154->35155 35156 9173dd LocalFree 35154->35156 35233 9140a0 50 API calls 3 library calls 35154->35233 35234 9161d0 94 API calls 2 library calls 35154->35234 35235 913cc0 42 API calls collate 35154->35235 35236 916a60 10 API calls 35154->35236 35155->35154 35156->35154 35158 9176d1 35157->35158 35239 912100 42 API calls 4 library calls 35158->35239 35160 9176e9 35240 912100 42 API calls 4 library calls 35160->35240 35162 917700 35241 917db0 59 API calls 2 library calls 35162->35241 35164 917718 35165 917a7b 35164->35165 35166 917747 35164->35166 35242 912750 41 API calls 35164->35242 35250 911910 LocalFree RaiseException _com_raise_error 35165->35250 35243 940d39 43 API calls 35166->35243 35169 917a85 GetWindowThreadProcessId 35171 917ae1 35169->35171 35172 917aae GetWindowLongW 35169->35172 35171->34986 35172->34986 35173 917755 35173->35165 35174 917766 35173->35174 35244 912100 42 API calls 4 library calls 35174->35244 35176 91784f 35177 9178a4 GetForegroundWindow 35176->35177 35178 9178ad 35176->35178 35177->35178 35179 9178bd ShellExecuteExW 35178->35179 35180 9178d7 35179->35180 35181 9178ce 35179->35181 35182 917912 35180->35182 35185 9178ed ShellExecuteExW 35180->35185 35247 917c30 6 API calls 35181->35247 35192 917938 GetModuleHandleW GetProcAddress 35182->35192 35193 9179c8 35182->35193 35183 917816 GetWindowsDirectoryW 35245 911980 69 API calls 35183->35245 35185->35182 35188 917909 35185->35188 35187 917837 35246 911980 69 API calls 35187->35246 35248 917c30 6 API calls 35188->35248 35189 91777b 35189->35176 35189->35183 35197 917952 AllowSetForegroundWindow 35192->35197 35194 9179f2 35193->35194 35195 9179dc WaitForSingleObject GetExitCodeProcess 35193->35195 35249 917d30 CloseHandle 35194->35249 35195->35194 35197->35193 35198 917960 35197->35198 35198->35193 35199 917969 GetModuleHandleW GetProcAddress 35198->35199 35199->35193 35200 917984 35199->35200 35200->35193 35204 917995 Sleep EnumWindows 35200->35204 35201 9179fe 35202 937708 __ehhandler$___std_fs_change_permissions@12 5 API calls 35201->35202 35203 917a73 35202->35203 35203->34986 35204->35200 35205 9179c1 BringWindowToTop 35204->35205 35205->35193 35207 912548 35206->35207 35218 91259c 35206->35218 35227 937875 6 API calls 35207->35227 35210 912552 35212 91255e GetProcessHeap 35210->35212 35210->35218 35211 9125b6 35220 911ff0 35211->35220 35231 937b87 44 API calls 35211->35231 35228 937b87 44 API calls 35212->35228 35215 91258b 35229 93782b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 35215->35229 35217 912616 35232 93782b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 35217->35232 35218->35220 35230 937875 6 API calls 35218->35230 35220->35094 35220->35098 35221->35102 35222->35106 35223->35107 35224->35096 35225->35096 35226->35099 35227->35210 35228->35215 35229->35218 35230->35211 35231->35217 35232->35220 35233->35154 35234->35154 35235->35154 35236->35154 35238->35140 35239->35160 35240->35162 35241->35164 35242->35166 35243->35173 35244->35189 35245->35187 35246->35176 35247->35180 35248->35182 35249->35201 35250->35169

                                          Executed Functions

                                          Function 00916EE0 Relevance: 46.0, APIs: 25, Strings: 1, Instructions: 519comCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 916ee0-916f31 call 915f90 3 916f33-916f50 call 917660 0->3 4 916f55-916f8d CoInitialize CoCreateInstance 0->4 10 9174ff-917519 call 937708 3->10 6 916f98-916fe6 VariantInit 4->6 7 916f8f-916f93 4->7 17 916ff1-917015 IUnknown_QueryService 6->17 18 916fe8-916fec 6->18 9 9174d8-9174e1 7->9 11 9174e3-9174e5 9->11 12 9174e9-9174f4 9->12 11->12 15 9174f6 CoUninitialize 12->15 16 9174fc 12->16 15->16 16->10 19 917020-91703a 17->19 20 917017-91701b 17->20 22 9174ba-9174c3 18->22 28 917045-917066 19->28 29 91703c-917040 19->29 23 9174a9-9174b2 20->23 24 9174c5-9174c7 22->24 25 9174cb-9174d6 VariantClear 22->25 23->22 27 9174b4-9174b6 23->27 24->25 25->9 27->22 33 917071-91708f IUnknown_QueryInterface_Proxy 28->33 34 917068-91706c 28->34 30 917498-9174a1 29->30 30->23 31 9174a3-9174a5 30->31 31->23 36 917091-917095 33->36 37 91709a-9170b4 33->37 35 917487-917490 34->35 35->30 39 917492-917494 35->39 38 917476-91747f 36->38 42 9170b6-9170ba 37->42 43 9170bf-9170dd IUnknown_QueryInterface_Proxy 37->43 38->35 40 917481-917483 38->40 39->30 40->35 46 917465-91746e 42->46 44 9170e8-917100 CoAllowSetForegroundWindow 43->44 45 9170df-9170e3 43->45 48 917102-917104 44->48 49 917168-917175 SysAllocString 44->49 47 917454-91745d 45->47 46->38 50 917470-917472 46->50 47->46 52 91745f-917461 47->52 51 91710a-91712d SysAllocString 48->51 53 917529-917571 call 911910 49->53 54 91717b 49->54 50->38 55 917138-91715b SysAllocString 51->55 56 91712f-917132 51->56 52->46 64 917573-917575 53->64 65 917579-917587 53->65 54->51 59 91717d-9171ff VariantInit 55->59 60 91715d-917160 55->60 56->55 58 91751f-917524 call 921cb0 56->58 58->53 67 917201-917205 59->67 68 91720a-91720e 59->68 60->58 63 917166 60->63 63->59 64->65 69 91740f-91744e VariantClear * 4 SysFreeString 67->69 70 917214 68->70 71 91740b 68->71 69->47 72 917216-917238 70->72 71->69 73 917240-917249 72->73 73->73 74 91724b-9172c5 call 913b40 call 9140a0 call 9161d0 call 913cc0 73->74 83 9172c7-9172d8 74->83 84 9172f6-917315 74->84 87 9172eb-9172ed 83->87 88 9172da-9172e5 83->88 85 917317-91731b 84->85 86 91731d 84->86 89 917324-917326 85->89 86->89 87->84 91 9172ef-9172f0 LocalFree 87->91 88->87 90 91751a call 93c5c2 88->90 92 9173a5-9173b5 89->92 93 917328-917332 89->93 90->58 91->84 97 9173b7-9173c6 92->97 98 9173fc-917405 92->98 95 917344-917378 OpenProcess WaitForSingleObject 93->95 96 917334-917342 call 916a60 93->96 100 917382-917392 95->100 101 91737a-91737c GetExitCodeProcess 95->101 96->95 102 9173d9-9173db 97->102 103 9173c8-9173d3 97->103 98->71 98->72 100->92 105 917394-91739b CloseHandle 100->105 101->100 106 9173e4-9173f5 102->106 107 9173dd-9173de LocalFree 102->107 103->90 103->102 105->92 106->98 107->106
                                          APIs
                                            • Part of subcall function 00915F90: GetCurrentProcess.KERNEL32(00000008,?,72116C99), ref: 00915FA0
                                            • Part of subcall function 00915F90: OpenProcessToken.ADVAPI32(00000000), ref: 00915FA7
                                          • CoInitialize.OLE32(00000000), ref: 00916F55
                                          • CoCreateInstance.OLE32(0095D310,00000000,00000004,0096B320,00000000,?), ref: 00916F85
                                          • CoUninitialize.OLE32 ref: 009174F6
                                          • _com_issue_error.COMSUPP ref: 00917524
                                            • Part of subcall function 00911910: LocalFree.KERNEL32(?,72116C99,?,00000000,009592C0,000000FF,?,?,00971348,00000000,009116D0,80004005), ref: 0091195C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
                                          • String ID: $
                                          • API String ID: 2507920217-3993045852
                                          • Opcode ID: 7bdbd89f5451899b6316e9a2c51de0d3f3947e014e599330df31254ab9a5f1d4
                                          • Instruction ID: 6bd1216464a9a26857fec6c41352703025a4c436521274fa8cdda309ae9c9db2
                                          • Opcode Fuzzy Hash: 7bdbd89f5451899b6316e9a2c51de0d3f3947e014e599330df31254ab9a5f1d4
                                          • Instruction Fuzzy Hash: 4622CE70A0838DDFEB11CFA8C948BEDFBB9AF45304F248199E405EB291D7759A85CB11
                                          Function 00915F90 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 108 915f90-915faf GetCurrentProcess OpenProcessToken 109 915fb1-915fb6 108->109 110 915fb7-915fe4 GetTokenInformation 108->110 111 915fe6-915feb 110->111 112 915fee-915ffe CloseHandle 110->112 111->112
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000008,?,72116C99), ref: 00915FA0
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00915FA7
                                          • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00915FDC
                                          • CloseHandle.KERNEL32(?), ref: 00915FF2
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                          • String ID:
                                          • API String ID: 215268677-0
                                          • Opcode ID: 5e005e793267b18bdd131d306b16f11e61e98784638516e51f88e5d689572e09
                                          • Instruction ID: 4f7a128129af2194756a2c8ee38752ab6360451efe3e8a9bbf370f5be264555d
                                          • Opcode Fuzzy Hash: 5e005e793267b18bdd131d306b16f11e61e98784638516e51f88e5d689572e09
                                          • Instruction Fuzzy Hash: A0F06274149301EFE7109F20EC05BAABBE8FB84701F408819F980C22A0D379C55DEB63
                                          Function 00921A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCommandLineW.KERNEL32(72116C99,?,0000FFFF), ref: 00921A4D
                                            • Part of subcall function 00914EC0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 00914EDD
                                          • ExitProcess.KERNEL32 ref: 00921C27
                                            • Part of subcall function 00918790: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0091880D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: AllocCommandCreateExitFileLineLocalProcess
                                          • String ID: Full command line:
                                          • API String ID: 1878577176-831861440
                                          • Opcode ID: 20f9f146e886791dbe2fb6d04d9ccaa2562fb44b8344ea05197f3f2cf11bc731
                                          • Instruction ID: 4d67cd13f6b3b4f8032914b04b680f8e34d449950bb74553993500dc056bfec2
                                          • Opcode Fuzzy Hash: 20f9f146e886791dbe2fb6d04d9ccaa2562fb44b8344ea05197f3f2cf11bc731
                                          • Instruction Fuzzy Hash: 1C519035E1512C9ACB25EB20DC59BEEB7B5AF94340F1441D8E009672A2EF741F88DBA1
                                          Function 00917FD0 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 171 917fd0-91804c GetTokenInformation 172 9180b0-9180c3 171->172 173 91804e-918057 GetLastError 171->173 173->172 174 918059-918067 173->174 175 918069-91806c 174->175 176 91806e 174->176 177 91809b 175->177 178 918070-918077 176->178 179 91809e-9180aa GetTokenInformation 176->179 177->179 180 918087-918098 call 938e90 178->180 181 918079-918085 call 918260 178->181 179->172 180->177 181->179
                                          APIs
                                          • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00917FA8,72116C99), ref: 00918044
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00917FA8,72116C99), ref: 0091804E
                                          • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00917FA8,72116C99), ref: 009180AA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: InformationToken$ErrorLast
                                          • String ID:
                                          • API String ID: 2567405617-0
                                          • Opcode ID: ef0e563394481264ff4fd4d370dd72547c4b5595f5b7d26c8de50494c370d72f
                                          • Instruction ID: 940268868a1be852be568ca30f27761afee02325bc1642f3c71065389e102c4f
                                          • Opcode Fuzzy Hash: ef0e563394481264ff4fd4d370dd72547c4b5595f5b7d26c8de50494c370d72f
                                          • Instruction Fuzzy Hash: 06318071A046099FD720CFA9CC45BEFFBF9FB48710F204929E515E7280DBB569449B90
                                          Function 0094C72B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 186 94c72b-94c736 187 94c744-94c74a 186->187 188 94c738-94c742 186->188 190 94c763-94c774 RtlAllocateHeap 187->190 191 94c74c-94c74d 187->191 188->187 189 94c778-94c783 call 93c6b0 188->189 195 94c785-94c787 189->195 192 94c776 190->192 193 94c74f-94c756 call 94a8b7 190->193 191->190 192->195 193->189 199 94c758-94c761 call 9515f6 193->199 199->189 199->190
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000008,?,?,?,0094AFDA,00000001,00000364,?,00000006,000000FF,?,0093C282,?,?,?), ref: 0094C76C
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: e46888c3cd2ab25138ab2af0f1809ef7b5b0ba2e5abf8e1585890ecb0d623e13
                                          • Instruction ID: 477f0709b90b42433d5a189e72f5fbeaa2da91c7a58c6a22698fdcebde961af5
                                          • Opcode Fuzzy Hash: e46888c3cd2ab25138ab2af0f1809ef7b5b0ba2e5abf8e1585890ecb0d623e13
                                          • Instruction Fuzzy Hash: 58F0E9B16476256FEBB15A269C45F5B37CC9F91771B144111BC04E6280DF34E801DEE1

                                          Non-executed Functions

                                          Function 0091D060 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: _swprintf$FreeLocal
                                          • String ID: %$+
                                          • API String ID: 2429749586-2626897407
                                          • Opcode ID: 9bafba443baefcc736c665765291fedfe0bf59dfbd60f8a69116cbb7fabbc3c9
                                          • Instruction ID: 0a0d2d1725d084a270ca61d898371969cac2c2bd873b4aff266b6d51d478b827
                                          • Opcode Fuzzy Hash: 9bafba443baefcc736c665765291fedfe0bf59dfbd60f8a69116cbb7fabbc3c9
                                          • Instruction Fuzzy Hash: BE02BE71E1521DABDB19DF68CC40BEEBBB9FF89304F144629F811A7281D734A981CB91
                                          Function 00920E90 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 009212C4
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,009757C0,00000800), ref: 009212E1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: OpenQueryValue
                                          • String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
                                          • API String ID: 4153817207-1914306501
                                          • Opcode ID: d8da64645e0014f6aba9b2f4b38c0042de036abe3cb71835067e33f76a58e471
                                          • Instruction ID: 53887f65c0bbd3b95bb91da8bcfb49fe979822c48226e0249f63674893d8e3ad
                                          • Opcode Fuzzy Hash: d8da64645e0014f6aba9b2f4b38c0042de036abe3cb71835067e33f76a58e471
                                          • Instruction Fuzzy Hash: 41E1F425A04372CACB349F14E840276B3EAFFA5740F598469E845CB69AE771CCE2C391
                                          Function 00953BA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(?,2000000B,00953EC1,00000002,00000000,?,?,?,00953EC1,?,00000000), ref: 00953C3C
                                          • GetLocaleInfoW.KERNEL32(?,20001004,00953EC1,00000002,00000000,?,?,?,00953EC1,?,00000000), ref: 00953C65
                                          • GetACP.KERNEL32(?,?,00953EC1,?,00000000), ref: 00953C7A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: b714c71abb79606195bfc67adf7fb653c88e71360ea2a97689740448c0b25290
                                          • Instruction ID: 3e35de5560c728aa3acc2d02c3d8b189ddd36b9aaa4d709eb9362ab8bec1f70e
                                          • Opcode Fuzzy Hash: b714c71abb79606195bfc67adf7fb653c88e71360ea2a97689740448c0b25290
                                          • Instruction Fuzzy Hash: CB218632A05101A6DB34CF67C901BA7B3AAEB50BD2B56C964ED8AE7110E732DF48D350
                                          Function 00953D78 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0094AE3C: GetLastError.KERNEL32(?,00000008,009503BC), ref: 0094AE40
                                            • Part of subcall function 0094AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0094AEE2
                                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00953E84
                                          • IsValidCodePage.KERNEL32(00000000), ref: 00953ECD
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00953EDC
                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00953F24
                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00953F43
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                          • String ID:
                                          • API String ID: 415426439-0
                                          • Opcode ID: ad94f992e96eef32ecd4f4684c0b4e38eaff162d64d1315f8138295ede672608
                                          • Instruction ID: 0b5983a155973e43027a925834cba4b77737ca812ce333fb6c23bb677d854df1
                                          • Opcode Fuzzy Hash: ad94f992e96eef32ecd4f4684c0b4e38eaff162d64d1315f8138295ede672608
                                          • Instruction Fuzzy Hash: 82516172A10205ABDF21DFA6DC46BBE77F8AF48742F148429ED05E7190E7709B0C8B61
                                          Function 00953414 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0094AE3C: GetLastError.KERNEL32(?,00000008,009503BC), ref: 0094AE40
                                            • Part of subcall function 0094AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0094AEE2
                                          • GetACP.KERNEL32(?,?,?,?,?,?,0094994B,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 009534D5
                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0094994B,?,?,?,00000055,?,-00000050,?,?), ref: 00953500
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00953663
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CodeInfoLocalePageValid
                                          • String ID: utf8
                                          • API String ID: 607553120-905460609
                                          • Opcode ID: c4968c6bf114cad099117f9198a475ebffcdbc914533ce5f80cc8656cbc08e6a
                                          • Instruction ID: b2cd8a9accfa037a4b89450ff74eef2f4de42e98857189850fa331d8479f5688
                                          • Opcode Fuzzy Hash: c4968c6bf114cad099117f9198a475ebffcdbc914533ce5f80cc8656cbc08e6a
                                          • Instruction Fuzzy Hash: 22710871604301AADB25EF76CC46FA673ACEF84782F148429FD09D7191FB74EA498760
                                          Function 0094B336 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: _strrchr
                                          • String ID:
                                          • API String ID: 3213747228-0
                                          • Opcode ID: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                          • Instruction ID: 6dee1b230953243c219e40d51d3d88574aa80342817c90c2ece4bbfda119d8e8
                                          • Opcode Fuzzy Hash: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                          • Instruction Fuzzy Hash: 81B15772A042559FDB15CF68C891FFEBBA9EF59310F15816AE905AB242D334DD01CBA0
                                          Function 009383BD Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 009383C9
                                          • IsDebuggerPresent.KERNEL32 ref: 00938495
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009384B5
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 009384BF
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                          • String ID:
                                          • API String ID: 254469556-0
                                          • Opcode ID: e39f074083a0e263f48e0b7efb995541b6c1968bc5f1eac0b854afd7df535b3e
                                          • Instruction ID: 52d13092cc612df6a730dde25efb4bcfa52860f56400ee0d440a2c221fbc9282
                                          • Opcode Fuzzy Hash: e39f074083a0e263f48e0b7efb995541b6c1968bc5f1eac0b854afd7df535b3e
                                          • Instruction Fuzzy Hash: 13311A75D053189BDB21EF65D9897CDBBB8AF04301F10409AE40DAB250EB715A848F45
                                          Function 00922161 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,00913270,?), ref: 00922176
                                          • FormatMessageA.KERNEL32(00001300,00000000,72116C99,00000000,00000000,00000000,00000000,?,?,?,00913270,?), ref: 00922198
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: FormatInfoLocaleMessage
                                          • String ID: !x-sys-default-locale
                                          • API String ID: 4235545615-2729719199
                                          • Opcode ID: 3ee4eb304625e25e870ba547934586db9fa2f5ba09f45635f4827daf07574106
                                          • Instruction ID: ca8d7e58fe3879598a4777561e70f131b21b00181c9c5e8333bcf0b4e80cc107
                                          • Opcode Fuzzy Hash: 3ee4eb304625e25e870ba547934586db9fa2f5ba09f45635f4827daf07574106
                                          • Instruction Fuzzy Hash: 43E039B6169218BEEB18AFA1CC0BEAB7A6DEB04791F104114B901D6180E6B16E009BA0
                                          Function 00917660 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 384libraryloadersleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 395 917660-9176cb 396 9176cc-917728 call 918530 call 912100 * 2 call 917db0 395->396 404 917a7b-917aac call 911910 GetWindowThreadProcessId 396->404 405 91772e-91773d 396->405 413 917ae1-917ae8 404->413 414 917aae-917ade GetWindowLongW 404->414 406 91774a-917760 call 940d39 405->406 407 91773f-917747 call 912750 405->407 406->404 416 917766-917796 call 912100 406->416 407->406 419 9177a0-9177a4 416->419 420 917798-91779b 416->420 421 917855-9178a2 419->421 422 9177aa-9177af 419->422 420->419 424 9178a4-9178aa GetForegroundWindow 421->424 425 9178ad-9178af 421->425 423 9177b1-9177b7 422->423 426 9177d7-9177d9 423->426 427 9177b9-9177bc 423->427 424->425 428 9178b1-9178bb call 917af0 425->428 429 9178bd-9178cc ShellExecuteExW 425->429 432 9177dc-9177de 426->432 430 9177d3-9177d5 427->430 431 9177be-9177c6 427->431 428->429 434 9178dc-9178de 429->434 435 9178ce-9178d9 call 917c30 429->435 430->432 431->426 438 9177c8-9177d1 431->438 439 9177e0-9177e5 432->439 440 917816-917852 GetWindowsDirectoryW call 911980 * 2 432->440 436 9178e0-9178e6 434->436 437 917912-917932 call 917ef0 434->437 435->434 443 9178e8-9178eb 436->443 444 9178ed-917907 ShellExecuteExW 436->444 457 917938-91795e GetModuleHandleW GetProcAddress AllowSetForegroundWindow 437->457 458 9179cb-9179d0 437->458 438->423 438->430 447 9177e7-9177ed 439->447 440->421 443->437 443->444 444->437 450 917909-91790d call 917c30 444->450 452 91780d-91780f 447->452 453 9177ef-9177f2 447->453 450->437 454 917812-917814 452->454 459 9177f4-9177fc 453->459 460 917809-91780b 453->460 454->421 454->440 457->458 469 917960-917967 457->469 462 9179f2-917a12 call 917d30 458->462 463 9179d2-9179da 458->463 459->452 464 9177fe-917807 459->464 460->454 470 917a14-917a17 462->470 471 917a1c-917a2d 462->471 463->462 465 9179dc-9179ec WaitForSingleObject GetExitCodeProcess 463->465 464->447 464->460 465->462 469->458 472 917969-917982 GetModuleHandleW GetProcAddress 469->472 470->471 473 917a37-917a4c 471->473 474 917a2f-917a32 471->474 475 917984-91798c 472->475 476 9179c8 472->476 477 917a56-917a7a call 937708 473->477 478 917a4e-917a51 473->478 474->473 481 917990-917993 475->481 476->458 478->477 481->476 483 917995-9179bf Sleep EnumWindows 481->483 483->481 484 9179c1-9179c2 BringWindowToTop 483->484 484->476
                                          APIs
                                          • GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 0091781F
                                          • GetForegroundWindow.USER32(?,?), ref: 009178A4
                                          • ShellExecuteExW.SHELL32(?), ref: 009178C1
                                          • ShellExecuteExW.SHELL32(?), ref: 009178FF
                                          • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00917942
                                          • GetProcAddress.KERNEL32(00000000), ref: 00917949
                                          • AllowSetForegroundWindow.USER32(00000000), ref: 00917953
                                          • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00917973
                                          • GetProcAddress.KERNEL32(00000000), ref: 0091797A
                                          • Sleep.KERNEL32(00000064,?,?,?), ref: 00917997
                                          • EnumWindows.USER32(00917A90,?), ref: 009179B3
                                          • BringWindowToTop.USER32(?), ref: 009179C2
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 009179DF
                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 009179EC
                                            • Part of subcall function 00917D30: CloseHandle.KERNEL32(?,72116C99,00000010,00000010,?,?), ref: 00917D72
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00917A9C
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00917AB4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Window$Handle$AddressExecuteForegroundModuleProcProcessShellWindows$AllowBringCloseCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
                                          • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
                                          • API String ID: 1023610922-986041216
                                          • Opcode ID: 727e5cdff835c724f688c54371ad5c4a248af89c9b5052db250aa5f178edbbc5
                                          • Instruction ID: d7de54452f558e02bbf50dfe9903e868e72929cea1c46d56234561923a881e76
                                          • Opcode Fuzzy Hash: 727e5cdff835c724f688c54371ad5c4a248af89c9b5052db250aa5f178edbbc5
                                          • Instruction Fuzzy Hash: 6AE18E71B0520A9FDB10DFE8C888AEEFBB9EF54314F144169E515EB291EB309985CB60
                                          Function 00918790 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0091880D
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00918860
                                          • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 0091886F
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0091888B
                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 0091896B
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 00918977
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 009189B3
                                          • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 009189D2
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 009189EF
                                          • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 00918A83
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00918ACE
                                          • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00918B1C
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 00918B4B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                          • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                          • API String ID: 2199533872-3004881174
                                          • Opcode ID: 15327ecc08a6b8c35949afc0c88e4ca3a27e61c0a400e92414854f7a8c987863
                                          • Instruction ID: 2cb43ac8338a7309ca089ea2faa3f9b2177424b78616ad68d74ba70679a517d6
                                          • Opcode Fuzzy Hash: 15327ecc08a6b8c35949afc0c88e4ca3a27e61c0a400e92414854f7a8c987863
                                          • Instruction Fuzzy Hash: 07C13371B042499FEB208F68CC45BFFBBB9EF85300F144169E9149B2C1EB748A85D7A1
                                          Function 00937769 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(00974AF8,00000FA0,?,?,00937747), ref: 00937775
                                          • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00937747), ref: 00937780
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00937747), ref: 00937791
                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009377A3
                                          • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009377B1
                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00937747), ref: 009377D4
                                          • DeleteCriticalSection.KERNEL32(00974AF8,00000007,?,?,00937747), ref: 009377F0
                                          • CloseHandle.KERNEL32(00000000,?,?,00937747), ref: 00937800
                                          Strings
                                          • WakeAllConditionVariable, xrefs: 009377A9
                                          • SleepConditionVariableCS, xrefs: 0093779D
                                          • kernel32.dll, xrefs: 0093778C
                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0093777B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                          • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                          • API String ID: 2565136772-3242537097
                                          • Opcode ID: 50fb15820301694f7a25bd6c58859efa9dbcd9f0506c77a16c48c92c76d3f437
                                          • Instruction ID: 996ec3c5ca8238b7c962a959e16c6cd91166ec4e3b9eda0242990afcb1bf0d78
                                          • Opcode Fuzzy Hash: 50fb15820301694f7a25bd6c58859efa9dbcd9f0506c77a16c48c92c76d3f437
                                          • Instruction Fuzzy Hash: F301B5767AE702ABD7355BB6AC0DF267B9CAB85B13F040010FC09E2590DBB0C8409B65
                                          Function 0091F010 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000018,72116C99,?,00000000), ref: 0091F076
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091F0B3
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0091F11D
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0091F2B9
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091F376
                                          • Concurrency::cancel_current_task.LIBCPMT ref: 0091F39E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name$false$true
                                          • API String ID: 975656625-1062449267
                                          • Opcode ID: c4939ec3198b79a0c9665d5bbb515f772d17c6e82f232edd6c6e3256ebb509c3
                                          • Instruction ID: 3f49c939a3aab085e31d05f58c4606dd5e75d4b5e6f8aad89485dfcfdf76547f
                                          • Opcode Fuzzy Hash: c4939ec3198b79a0c9665d5bbb515f772d17c6e82f232edd6c6e3256ebb509c3
                                          • Instruction Fuzzy Hash: 3DB182B1D0434CDAEF20DFA4C945BDEBBF8BF54304F1481A9E458AB281E7759A88CB51
                                          Function 00916A60 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000400,00000000,?,72116C99,?,00000000), ref: 00916AC2
                                          • OpenProcess.KERNEL32(00000400,00000000,00000000,?,72116C99,?,00000000), ref: 00916AE3
                                          • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,72116C99,?,00000000), ref: 00916B16
                                          • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,72116C99,?,00000000), ref: 00916B27
                                          • CloseHandle.KERNEL32(00000000,?,72116C99,?,00000000), ref: 00916B45
                                          • CloseHandle.KERNEL32(00000000,?,72116C99,?,00000000), ref: 00916B61
                                          • CloseHandle.KERNEL32(00000000,?,72116C99,?,00000000), ref: 00916B89
                                          • CloseHandle.KERNEL32(00000000,?,72116C99,?,00000000), ref: 00916BA5
                                          • CloseHandle.KERNEL32(00000000,?,72116C99,?,00000000), ref: 00916BC3
                                          • CloseHandle.KERNEL32(00000000,?,72116C99,?,00000000), ref: 00916BDF
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: CloseHandle$Process$OpenTimes
                                          • String ID:
                                          • API String ID: 1711917922-0
                                          • Opcode ID: c9438e2ddba39c3e1208d6cabe3434e3bb7a9face94603655b51dfc0395f3340
                                          • Instruction ID: 08c8f3072529857a7119116bc5ddee3c240b7b2d2e20ea780ce26717317a3485
                                          • Opcode Fuzzy Hash: c9438e2ddba39c3e1208d6cabe3434e3bb7a9face94603655b51dfc0395f3340
                                          • Instruction Fuzzy Hash: D45150B1E492189BDB20CF99C984BEEFBF9BF48724F204219E914B72C0C7745945CBA4
                                          Function 00930834 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0093083B
                                            • Part of subcall function 0092780A: __EH_prolog3.LIBCMT ref: 00927811
                                            • Part of subcall function 0092780A: std::_Lockit::_Lockit.LIBCPMT ref: 0092781B
                                            • Part of subcall function 0092780A: std::_Lockit::~_Lockit.LIBCPMT ref: 0092788C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1538362411-2891247106
                                          • Opcode ID: 13fd975ab35431e5ea2ee5a0538fca7a10944a6a2605a228234e66131d5ef694
                                          • Instruction ID: d5ba1d7954bd1753c1c2d3bf3198770317cc5792243a1aedea0084459b021438
                                          • Opcode Fuzzy Hash: 13fd975ab35431e5ea2ee5a0538fca7a10944a6a2605a228234e66131d5ef694
                                          • Instruction Fuzzy Hash: FEC1707694020AAFDF18DFA8D9B5EFA7BBCEB85304F144519FA46E3251D6309A10CF60
                                          Function 009359E2 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009359E9
                                            • Part of subcall function 0091C590: std::_Lockit::_Lockit.LIBCPMT ref: 0091C5BD
                                            • Part of subcall function 0091C590: std::_Lockit::_Lockit.LIBCPMT ref: 0091C5E0
                                            • Part of subcall function 0091C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0091C608
                                            • Part of subcall function 0091C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0091C6A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1383202999-2891247106
                                          • Opcode ID: 80c18c2b112f0899fe9327f5571c5bebcf67b8d3dc8b0ed967e62ef1c44bc984
                                          • Instruction ID: cee662d7f6ffa9e7df970bd39dce4cd0479b84e046d9feeae557c9866e0ac812
                                          • Opcode Fuzzy Hash: 80c18c2b112f0899fe9327f5571c5bebcf67b8d3dc8b0ed967e62ef1c44bc984
                                          • Instruction Fuzzy Hash: 62C18076500509AFDB18DFA8C999EFB7BFCEB4C304F164519FA56A2291D630DA00CF61
                                          Function 00930C24 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00930C2B
                                            • Part of subcall function 0091B500: std::_Lockit::_Lockit.LIBCPMT ref: 0091B52D
                                            • Part of subcall function 0091B500: std::_Lockit::_Lockit.LIBCPMT ref: 0091B550
                                            • Part of subcall function 0091B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0091B578
                                            • Part of subcall function 0091B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0091B617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1383202999-2891247106
                                          • Opcode ID: 6751d8aa3ba7f2e65c2a5965feb3a47edfb90da5e551a2a9683708bc61317409
                                          • Instruction ID: 073780330aea135bd1f86db846ee363b08207b92024e94ba82d28eedb0b360eb
                                          • Opcode Fuzzy Hash: 6751d8aa3ba7f2e65c2a5965feb3a47edfb90da5e551a2a9683708bc61317409
                                          • Instruction Fuzzy Hash: 87C18476500209AFCB28DF98C975EFF7BECEB89304F144519FA06A2191D631DA14CF60
                                          Function 009165B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00916090: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 009160F4
                                            • Part of subcall function 00916090: GetLastError.KERNEL32 ref: 00916190
                                          • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00916632
                                          • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 0091668B
                                          • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 00916712
                                          • ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 009167F6
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0091686E
                                          • GetLastError.KERNEL32(?,00000000), ref: 009168C9
                                          • FreeLibrary.KERNEL32(?,?,00000000), ref: 0091691E
                                          Strings
                                          • NtQueryInformationProcess, xrefs: 0091662C
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead$ErrorFreeLast$AddressDirectoryLibraryLocalProcSystem
                                          • String ID: NtQueryInformationProcess
                                          • API String ID: 253270903-2781105232
                                          • Opcode ID: d90efac7b6c909c9e8eb0a3ca51a815fba496dfe1074e8092ae234354be9d78f
                                          • Instruction ID: 6e9e8c9cdcffa66a4376a23f578efadc80265eff14f16721023b2f29e9c979ef
                                          • Opcode Fuzzy Hash: d90efac7b6c909c9e8eb0a3ca51a815fba496dfe1074e8092ae234354be9d78f
                                          • Instruction Fuzzy Hash: 16B16F70D15749DBEB20CF64C9487EEBBF4EF48308F104A5DE449A6290E7B966C8CB91
                                          Function 0092D491 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 0092D498
                                          • _Maklocstr.LIBCPMT ref: 0092D501
                                          • _Maklocstr.LIBCPMT ref: 0092D513
                                          • _Maklocchr.LIBCPMT ref: 0092D52B
                                          • _Maklocchr.LIBCPMT ref: 0092D53B
                                          • _Getvals.LIBCPMT ref: 0092D55D
                                            • Part of subcall function 0092708B: _Maklocchr.LIBCPMT ref: 009270BA
                                            • Part of subcall function 0092708B: _Maklocchr.LIBCPMT ref: 009270D0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                          • String ID: false$true
                                          • API String ID: 3549167292-2658103896
                                          • Opcode ID: 94544bdd42b20a0329e4886632b4eac52e13020f79f7a5d1efcc85f6b3874903
                                          • Instruction ID: 1095b19ec4325f885f55ec24e5c7db0c8bf7e57b961688b4a6f1516e520b6ad7
                                          • Opcode Fuzzy Hash: 94544bdd42b20a0329e4886632b4eac52e13020f79f7a5d1efcc85f6b3874903
                                          • Instruction Fuzzy Hash: CE2141B1D05318AADF15EFE4E846B9F7BA8AF44710F008016F919AF196EB709544CBA1
                                          Function 0091C9C0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00925C66: __EH_prolog3.LIBCMT ref: 00925C6D
                                            • Part of subcall function 00925C66: std::_Lockit::_Lockit.LIBCPMT ref: 00925C78
                                            • Part of subcall function 00925C66: std::locale::_Setgloballocale.LIBCPMT ref: 00925C93
                                            • Part of subcall function 00925C66: std::_Lockit::~_Lockit.LIBCPMT ref: 00925CE6
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091CA1A
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0091CA80
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0091CB4F
                                            • Part of subcall function 009245A7: __EH_prolog3.LIBCMT ref: 009245AE
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091CC00
                                          • LocalFree.KERNEL32(?,?,?,0096B6C9,00000000,0096B6C9), ref: 0091CD01
                                          • __cftoe.LIBCMT ref: 0091CE5E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
                                          • String ID: bad locale name
                                          • API String ID: 2085124900-1405518554
                                          • Opcode ID: 61733be83caa8e6eff5f8855b2fa2c52d03e811708d5f215db94b22c54e87285
                                          • Instruction ID: 720423c1d9c8faaf451d62d6bcb07cb260ea279c21b161ec1e640530446e3bf8
                                          • Opcode Fuzzy Hash: 61733be83caa8e6eff5f8855b2fa2c52d03e811708d5f215db94b22c54e87285
                                          • Instruction Fuzzy Hash: 0C12BEB1E04248EFDF11CFA8C885BEEBBB5EF44304F144169E855AB381E735AA44CB91
                                          Function 0093B22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • type_info::operator==.LIBVCRUNTIME ref: 0093B34B
                                          • ___TypeMatch.LIBVCRUNTIME ref: 0093B459
                                          • _UnwindNestedFrames.LIBCMT ref: 0093B5AB
                                          • CallUnexpected.LIBVCRUNTIME ref: 0093B5C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                          • String ID: csm$csm$csm
                                          • API String ID: 2751267872-393685449
                                          • Opcode ID: 39be0f7aecd300a08348e224319c7c1d58cb067aec8b1c1eab051319c182130a
                                          • Instruction ID: 4ca1d327e3e2975ff0388ac3001a38ffd5dbe32e16317ae41629294439ee50ca
                                          • Opcode Fuzzy Hash: 39be0f7aecd300a08348e224319c7c1d58cb067aec8b1c1eab051319c182130a
                                          • Instruction Fuzzy Hash: F6B16871800219EFCF29DFA4C881AAEBBB9FF54310F14815AFA156B212D731DA51CF92
                                          Function 00920260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00920322
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00920367
                                          • ___std_exception_copy.LIBVCRUNTIME ref: 009203DE
                                          • LocalFree.KERNEL32(?), ref: 0092041B
                                          • LocalFree.KERNEL32(?,?,?,?,?,72116C99,72116C99,?,?), ref: 00920546
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree$___std_exception_copy
                                          • String ID: ios_base::failbit set$iostream
                                          • API String ID: 2276494016-302468714
                                          • Opcode ID: 75400b71d6e363cec6a7617ca0f94afa835b5d9d4c1f62079d8168792f53f719
                                          • Instruction ID: 24c5c58511b1944b8ec08963b4f9afa20ad94674a27f0ac8be48738f5cabea57
                                          • Opcode Fuzzy Hash: 75400b71d6e363cec6a7617ca0f94afa835b5d9d4c1f62079d8168792f53f719
                                          • Instruction Fuzzy Hash: 00A1C1B1D042099FDB18DF68D884BAEFBB5FF88310F10825DE815AB292DB709944CB91
                                          Function 0091BA30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000044,72116C99,?,00000000), ref: 0091BA8B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091BAC8
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0091BB35
                                          • __Getctype.LIBCPMT ref: 0091BB7E
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0091BBF2
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091BCAF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name
                                          • API String ID: 3635123611-1405518554
                                          • Opcode ID: 70fcbfba610e0e1ed0a15e75ada705ea060e18836d60c6936d97783a70519fbf
                                          • Instruction ID: e5e24e2b8c936865a61b69e478bd6d9abd24f876933952dbfad775c1dc501c00
                                          • Opcode Fuzzy Hash: 70fcbfba610e0e1ed0a15e75ada705ea060e18836d60c6936d97783a70519fbf
                                          • Instruction Fuzzy Hash: 978173B0D05348DFEB20CFA8C9457CEBBF4AF15304F148199D494AB281EB759A88DB51
                                          Function 0091C220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000018,72116C99,?,00000000,?,?,?,?,?,?,?,00000000,0095ABC5,000000FF), ref: 0091C264
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091C29E
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0091C302
                                          • __Getctype.LIBCPMT ref: 0091C34B
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0091C391
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091C445
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name
                                          • API String ID: 3635123611-1405518554
                                          • Opcode ID: f42053bb418de2f026a019cf1a7e8269c1c9a82bb5139b5863188302e5835c6c
                                          • Instruction ID: d2ed336181a8d3d21ead2c3f81fad8ba3fda4313602111f32290314a1c81687b
                                          • Opcode Fuzzy Hash: f42053bb418de2f026a019cf1a7e8269c1c9a82bb5139b5863188302e5835c6c
                                          • Instruction Fuzzy Hash: EA616CB0E05388EFEB20CFE8C5057CEBBF8AF14304F148559E454AB281E7B59A48DB51
                                          Function 0093743E Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 009374C9
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00937557
                                          • __alloca_probe_16.LIBCMT ref: 00937581
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009375C9
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009375E3
                                          • __alloca_probe_16.LIBCMT ref: 00937609
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00937646
                                          • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00937663
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                          • String ID:
                                          • API String ID: 3603178046-0
                                          • Opcode ID: 56a288dca61e28053fd3ef199daabcc200fb65b410a1fddb770d9602660a80f2
                                          • Instruction ID: 135a79e08ae575dba5fe3770052637cc0edd7c66a3b7784750c8a0e7126a5b99
                                          • Opcode Fuzzy Hash: 56a288dca61e28053fd3ef199daabcc200fb65b410a1fddb770d9602660a80f2
                                          • Instruction Fuzzy Hash: 807191B190864AABDF358FE9CC56AEFBBBAEF45358F140419F405A6151D735C800CF61
                                          Function 00936F23 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,0091C6DF,?,00000001,00000000,?,00000000,?,0091C6DF,?), ref: 00936F6C
                                          • __alloca_probe_16.LIBCMT ref: 00936F98
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,0091C6DF,?,?,00000000,0091CCD3,0000003F,?), ref: 00936FD7
                                          • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0091C6DF,?,?,00000000,0091CCD3,0000003F), ref: 00936FF4
                                          • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,0091C6DF,?,?,00000000,0091CCD3,0000003F), ref: 00937033
                                          • __alloca_probe_16.LIBCMT ref: 00937050
                                          • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0091C6DF,?,?,00000000,0091CCD3,0000003F), ref: 00937092
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,0091C6DF,?,?,00000000,0091CCD3,0000003F,?), ref: 009370B5
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                          • String ID:
                                          • API String ID: 2040435927-0
                                          • Opcode ID: ef88592aedae84458e316e134fd37efc5f4e0ce65f9967b92c43e36c78224d2b
                                          • Instruction ID: 95c958c59f0e7d5721296cb7bd07c689848585d16df152965fada2b82654f7ce
                                          • Opcode Fuzzy Hash: ef88592aedae84458e316e134fd37efc5f4e0ce65f9967b92c43e36c78224d2b
                                          • Instruction Fuzzy Hash: 4551BDB261420ABBEF349FA1DC44FABBBA9EF44750F114429F904A6190DB35DD109FA0
                                          Function 00915940 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempFileNameW.KERNEL32(?,URL,00000000,?,72116C99,?,00000004), ref: 009159AA
                                          • LocalFree.KERNEL32(?), ref: 00915ABB
                                          • MoveFileW.KERNEL32(?,00000000), ref: 00915D5B
                                          • DeleteFileW.KERNEL32(?), ref: 00915DA3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: File$DeleteFreeLocalMoveNameTemp
                                          • String ID: URL$url
                                          • API String ID: 1622375482-346267919
                                          • Opcode ID: 786845e1fcb6e02c37294912ae7df799165e2893153eda44e156b39b861a530e
                                          • Instruction ID: 9cd9d5af240c6d92d14ff69f6e1299521086bca727d925705e02f6779bb75791
                                          • Opcode Fuzzy Hash: 786845e1fcb6e02c37294912ae7df799165e2893153eda44e156b39b861a530e
                                          • Instruction Fuzzy Hash: 5A025570E14629DACB24DF28C998BDDB7B5BF94304F1142D9E409A7291EB74ABC4CF80
                                          Function 009161D0 Relevance: 10.7, APIs: 7, Instructions: 234processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00916242
                                          • CloseHandle.KERNEL32(00000000), ref: 00916285
                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 009162E1
                                          • OpenProcess.KERNEL32(00000410,00000000,?), ref: 009162FD
                                          • CloseHandle.KERNEL32(00000000), ref: 00916445
                                          • Process32NextW.KERNEL32(?,0000022C), ref: 00916463
                                          • CloseHandle.KERNEL32(00000000), ref: 0091648E
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 708755948-0
                                          • Opcode ID: 6da669b33044dfbbb8413b07176c046801864d44b906d438b02d153c06fa7d7f
                                          • Instruction ID: e623c889f0d29ea4f68d588fe9f21aa02730dcbec97122ef278f0f9d939bce40
                                          • Opcode Fuzzy Hash: 6da669b33044dfbbb8413b07176c046801864d44b906d438b02d153c06fa7d7f
                                          • Instruction Fuzzy Hash: 5CA15E71E05269DBDB20DF64CD48BDEBBB8EF44314F1482D9E419A7290D7B85A84CF90
                                          Function 0091F5E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,0000000C,72116C99,?,00000000,00000000,?,?,?,?,00000000,0095B2D1,000000FF,?,0091EBCA,00000000), ref: 0091F624
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091F65A
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0091F6BE
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0091F77E
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091F832
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name
                                          • API String ID: 2968629171-1405518554
                                          • Opcode ID: 8c1d7724a21a0cb656007399314a91af77da8af18f5ddb556997f2a335171d1d
                                          • Instruction ID: a6c8739ffae05dc0c2c80bc2a7a6bc2f82b342ea03fd706912319ed7cea13f25
                                          • Opcode Fuzzy Hash: 8c1d7724a21a0cb656007399314a91af77da8af18f5ddb556997f2a335171d1d
                                          • Instruction Fuzzy Hash: 5D718DB0D0134CEAEF11DFA8C944BCEBFB8AF11354F1441A9E414BB281D7B59A48DBA1
                                          Function 0091F3B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000008,72116C99,?,00000000,00000000,?,?,?,00000000,0095B1DD,000000FF,?,0091ED0A,00000000,?), ref: 0091F3F4
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091F42A
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0091F48E
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0091F4FE
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091F5B2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                          • String ID: bad locale name
                                          • API String ID: 2968629171-1405518554
                                          • Opcode ID: 74b6825ad1acaf719c55b16050eac961f09a1444c8887be4572c22235b9083ba
                                          • Instruction ID: 2392a2ca90cce242c764d4f0089742717e2fe3469b2c1f1c91d319ffd22fb472
                                          • Opcode Fuzzy Hash: 74b6825ad1acaf719c55b16050eac961f09a1444c8887be4572c22235b9083ba
                                          • Instruction Fuzzy Hash: E5616EB0E0538CEAEF10CFA8D5547DEBBB8AF14314F144169E454AB281D77A9B48CB61
                                          Function 00938D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 00938D67
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00938D6F
                                          • _ValidateLocalCookies.LIBCMT ref: 00938DF8
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00938E23
                                          • _ValidateLocalCookies.LIBCMT ref: 00938E78
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 0692f1bda9f58f0c465d0b1359a866b02c8881ccaefbc2495a14c2ef073a7052
                                          • Instruction ID: 175db073104d1b74b8a9a8ce7ee9add4ce59fbc96194142ef624e5bb43af7c78
                                          • Opcode Fuzzy Hash: 0692f1bda9f58f0c465d0b1359a866b02c8881ccaefbc2495a14c2ef073a7052
                                          • Instruction Fuzzy Hash: F7418034A003099BCF20EF69C885A9FBBB6EF84314F148555F9199B392DB31AA05CF91
                                          Function 0094C96B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(00000000,?,0094CA78,?,?,?,00000000,?,?,0094CCA2,00000021,FlsSetValue,00961E00,00961E08,?), ref: 0094CA2C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 3664257935-537541572
                                          • Opcode ID: 221107fa92fcc0e1b987911901df5b3158b036b12c8089b47fa262c97aa4e27b
                                          • Instruction ID: 08de35c4735f8596063d87fa2a1be9691c1a5f5871bcb7d9dc3584f18ca564f6
                                          • Opcode Fuzzy Hash: 221107fa92fcc0e1b987911901df5b3158b036b12c8089b47fa262c97aa4e27b
                                          • Instruction Fuzzy Hash: 1F21E7B2A07615AFCB61DB76AC44F6A375CDF427A8F250221E909F7290EA70ED00D7D0
                                          Function 0092D8F6 Relevance: 9.4, APIs: 6, Instructions: 433COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0092D8FD
                                          • ctype.LIBCPMT ref: 0092D944
                                            • Part of subcall function 0092D458: __Getctype.LIBCPMT ref: 0092D467
                                            • Part of subcall function 009279C9: __EH_prolog3.LIBCMT ref: 009279D0
                                            • Part of subcall function 009279C9: std::_Lockit::_Lockit.LIBCPMT ref: 009279DA
                                            • Part of subcall function 009279C9: std::_Lockit::~_Lockit.LIBCPMT ref: 00927A4B
                                            • Part of subcall function 00927AF3: __EH_prolog3.LIBCMT ref: 00927AFA
                                            • Part of subcall function 00927AF3: std::_Lockit::_Lockit.LIBCPMT ref: 00927B04
                                            • Part of subcall function 00927AF3: std::_Lockit::~_Lockit.LIBCPMT ref: 00927B75
                                            • Part of subcall function 00927CB2: __EH_prolog3.LIBCMT ref: 00927CB9
                                            • Part of subcall function 00927CB2: std::_Lockit::_Lockit.LIBCPMT ref: 00927CC3
                                            • Part of subcall function 00927CB2: std::_Lockit::~_Lockit.LIBCPMT ref: 00927D34
                                            • Part of subcall function 00927C1D: __EH_prolog3.LIBCMT ref: 00927C24
                                            • Part of subcall function 00927C1D: std::_Lockit::_Lockit.LIBCPMT ref: 00927C2E
                                            • Part of subcall function 00927C1D: std::_Lockit::~_Lockit.LIBCPMT ref: 00927C9F
                                            • Part of subcall function 00924403: __EH_prolog3.LIBCMT ref: 0092440A
                                            • Part of subcall function 00924403: std::_Lockit::_Lockit.LIBCPMT ref: 00924414
                                            • Part of subcall function 00924403: std::_Lockit::~_Lockit.LIBCPMT ref: 009244BB
                                          • collate.LIBCPMT ref: 0092DA78
                                          • numpunct.LIBCPMT ref: 0092DCF2
                                            • Part of subcall function 0092838F: __EH_prolog3.LIBCMT ref: 00928396
                                            • Part of subcall function 009280C5: __EH_prolog3.LIBCMT ref: 009280CC
                                            • Part of subcall function 009280C5: std::_Lockit::_Lockit.LIBCPMT ref: 009280D6
                                            • Part of subcall function 009280C5: std::_Lockit::~_Lockit.LIBCPMT ref: 00928147
                                            • Part of subcall function 009281EF: __EH_prolog3.LIBCMT ref: 009281F6
                                            • Part of subcall function 009281EF: std::_Lockit::_Lockit.LIBCPMT ref: 00928200
                                            • Part of subcall function 009281EF: std::_Lockit::~_Lockit.LIBCPMT ref: 00928271
                                            • Part of subcall function 00924403: Concurrency::cancel_current_task.LIBCPMT ref: 009244C6
                                            • Part of subcall function 009275B6: __EH_prolog3.LIBCMT ref: 009275BD
                                            • Part of subcall function 009275B6: std::_Lockit::_Lockit.LIBCPMT ref: 009275C7
                                            • Part of subcall function 009275B6: std::_Lockit::~_Lockit.LIBCPMT ref: 00927638
                                          • __Getcoll.LIBCPMT ref: 0092DAB8
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                            • Part of subcall function 009184C0: LocalAlloc.KERNEL32(00000040,00000000,0093839D,00000000,72116C99,?,00000000,?,00000000,?,0095CB8D,000000FF,?,009117D5,00000000,0095D3BA), ref: 009184C6
                                          • codecvt.LIBCPMT ref: 0092DDA3
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                          • String ID:
                                          • API String ID: 613171289-0
                                          • Opcode ID: 02d69a1e67bc7962674c164940bc8b8a14dbb3e75a3e83c81451cb3e3ef79460
                                          • Instruction ID: 2d78bd348e2779dee3d5494deeab40a697cafe7e40936e1c0e81ffa53141bf7b
                                          • Opcode Fuzzy Hash: 02d69a1e67bc7962674c164940bc8b8a14dbb3e75a3e83c81451cb3e3ef79460
                                          • Instruction Fuzzy Hash: 98E1467190632A9FDB24AF64AC02BBF7AE9EF81350F10482DF85867299DF718D0097D1
                                          Function 00912BD0 Relevance: 9.2, APIs: 6, Instructions: 225encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • #224.MSI(?,00000001,00000000,00000000,00000000), ref: 00912C43
                                          • LocalFree.KERNEL32(?), ref: 00912CA2
                                          • LocalFree.KERNEL32(?), ref: 00912D0C
                                          • CertFreeCertificateContext.CRYPT32(00000000), ref: 00912E94
                                            • Part of subcall function 00913D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00913DA3
                                          • LocalFree.KERNEL32(?), ref: 00912E13
                                          • LocalFree.KERNEL32(?), ref: 00912E6B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Free$Local$Cert$#224CertificateContextNameString
                                          • String ID:
                                          • API String ID: 2665452496-0
                                          • Opcode ID: 56bd692f8510269d7b610d47ec244824983b582f9fa865b4325fbe11d0038980
                                          • Instruction ID: 8d2ba642c6b16cd728e18237ebbf8c6f1b336feac472fba51eab1374c64c7552
                                          • Opcode Fuzzy Hash: 56bd692f8510269d7b610d47ec244824983b582f9fa865b4325fbe11d0038980
                                          • Instruction Fuzzy Hash: 1A919C70A143498FDB18DFA8C5487DEBBB5FF84304F20861DD056AB291DBB5AAC4CB90
                                          Function 0091B500 Relevance: 9.2, APIs: 6, Instructions: 152COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091B52D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091B550
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091B578
                                          • std::_Facet_Register.LIBCPMT ref: 0091B5ED
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091B617
                                          • LocalFree.KERNEL32 ref: 0091B6C0
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
                                          • String ID:
                                          • API String ID: 1378673503-0
                                          • Opcode ID: 9d239291fde1c76700cdbfb5670272ba46bd33e07da46ce34bee471032c0d189
                                          • Instruction ID: 3af827f26099922da1afac91e6ddaa742c8fce5add23e44c1a786e83e13eaca1
                                          • Opcode Fuzzy Hash: 9d239291fde1c76700cdbfb5670272ba46bd33e07da46ce34bee471032c0d189
                                          • Instruction Fuzzy Hash: 4251EE71A14758EFCB20CF58D840BAEBBF9FB04320F104659E825A7391D770AE84CB91
                                          Function 00945981 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16
                                          • String ID: a/p$am/pm
                                          • API String ID: 3509577899-3206640213
                                          • Opcode ID: f5fd3e8dbb3007d30636058bce8d34fe7a3c042c5ab153af5771f2291cb69774
                                          • Instruction ID: 165a790cfc7c170819c276e0eab7cd9909554b660f395bce8abe47b16430f1f4
                                          • Opcode Fuzzy Hash: f5fd3e8dbb3007d30636058bce8d34fe7a3c042c5ab153af5771f2291cb69774
                                          • Instruction Fuzzy Hash: 55C12571D00A06DBCB28DFE8C889FBAB7B8FF46304F264449E501AB296E3359D41CB51
                                          Function 0093AEF5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,0093AEEC,00939710,009385A3), ref: 0093AF03
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0093AF11
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0093AF2A
                                          • SetLastError.KERNEL32(00000000,0093AEEC,00939710,009385A3), ref: 0093AF7C
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: bb0941e5de4e3bc0963bcf172112cb7d008d0e0ab953d75e80dc00e6a2434b3d
                                          • Instruction ID: c415f98d24ef67f8821bdd2e663c274d0bfe94ca073ac8108aa09e33b54f955a
                                          • Opcode Fuzzy Hash: bb0941e5de4e3bc0963bcf172112cb7d008d0e0ab953d75e80dc00e6a2434b3d
                                          • Instruction Fuzzy Hash: 7F01F7B311DB216EA73427B57C85B267758EF42BB1F200329F154620F1EF568D407B46
                                          Function 0092D38D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Mpunct$GetvalsH_prolog3
                                          • String ID: $+xv
                                          • API String ID: 2204710431-1686923651
                                          • Opcode ID: 9bf70c8bd62a2b6cea62eacee2996ea1269a2ffbdbe4d7e475343dc2f4258fad
                                          • Instruction ID: afb4999b957e76e3c48536bf8de5580a06f2983c8eb67bc065e55dc32cffd6ea
                                          • Opcode Fuzzy Hash: 9bf70c8bd62a2b6cea62eacee2996ea1269a2ffbdbe4d7e475343dc2f4258fad
                                          • Instruction Fuzzy Hash: 7221C4B1904BA6AFD725DF74D89073BBEF8AB4D300F04051AE499C7A41D734E601CB90
                                          Function 009183E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(72116C99,72116C99,?,?,00000000,0095A221,000000FF), ref: 0091847B
                                            • Part of subcall function 00937875: EnterCriticalSection.KERNEL32(00974AF8,00000000,?,?,009125B6,0097571C,72116C99,?,00000000,009593ED,000000FF,?,00911A26), ref: 00937880
                                            • Part of subcall function 00937875: LeaveCriticalSection.KERNEL32(00974AF8,?,?,009125B6,0097571C,72116C99,?,00000000,009593ED,000000FF,?,00911A26,?,?,?,72116C99), ref: 009378BD
                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00918440
                                          • GetProcAddress.KERNEL32(00000000), ref: 00918447
                                            • Part of subcall function 0093782B: EnterCriticalSection.KERNEL32(00974AF8,?,?,00912627,0097571C,0095CCC0), ref: 00937835
                                            • Part of subcall function 0093782B: LeaveCriticalSection.KERNEL32(00974AF8,?,?,00912627,0097571C,0095CCC0), ref: 00937868
                                            • Part of subcall function 0093782B: RtlWakeAllConditionVariable.NTDLL ref: 009378DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                          • String ID: IsWow64Process$kernel32
                                          • API String ID: 2056477612-3789238822
                                          • Opcode ID: c98066f7e6c0ee2126e88db3ad1904f7880ad84d486414b0dff558101114e88e
                                          • Instruction ID: 51dcf4bb91560503f69cb0987125c4f8d444075126e9a4681717459fbccdf7e5
                                          • Opcode Fuzzy Hash: c98066f7e6c0ee2126e88db3ad1904f7880ad84d486414b0dff558101114e88e
                                          • Instruction Fuzzy Hash: CD11B7B2D19708EFCB24CFA4EC05B9D77E8F748721F10465AE815932D0EB756940DB50
                                          Function 00948461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,72116C99,?,?,00000000,0095CBE4,000000FF,?,009483F1,?,?,009483C5,?), ref: 00948496
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009484A8
                                          • FreeLibrary.KERNEL32(00000000,?,00000000,0095CBE4,000000FF,?,009483F1,?,?,009483C5,?), ref: 009484CA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: 1b663f0f07c45cfe56ace8c719fee16c16cee7157fbafc1e35bf62a7017a5731
                                          • Instruction ID: 1b989ab357a90d878f192a2e23043e479125396f50639ae1c20d9e766290be20
                                          • Opcode Fuzzy Hash: 1b663f0f07c45cfe56ace8c719fee16c16cee7157fbafc1e35bf62a7017a5731
                                          • Instruction Fuzzy Hash: F901D631918725AFDB159F51DC09FAFBBBCFB44B19F044125F911E22A0DB749900DB90
                                          Function 0092DDD2 Relevance: 7.9, APIs: 5, Instructions: 433COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0092DDD9
                                          • collate.LIBCPMT ref: 0092DF54
                                          • numpunct.LIBCPMT ref: 0092E1CE
                                            • Part of subcall function 009283C2: __EH_prolog3.LIBCMT ref: 009283C9
                                            • Part of subcall function 0092815A: __EH_prolog3.LIBCMT ref: 00928161
                                            • Part of subcall function 0092815A: std::_Lockit::_Lockit.LIBCPMT ref: 0092816B
                                            • Part of subcall function 0092815A: std::_Lockit::~_Lockit.LIBCPMT ref: 009281DC
                                            • Part of subcall function 0091EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 0091EB1D
                                            • Part of subcall function 0091EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 0091EB40
                                            • Part of subcall function 0091EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091EB68
                                            • Part of subcall function 0091EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091EC07
                                            • Part of subcall function 00924403: Concurrency::cancel_current_task.LIBCPMT ref: 009244C6
                                            • Part of subcall function 0092764B: __EH_prolog3.LIBCMT ref: 00927652
                                            • Part of subcall function 0092764B: std::_Lockit::_Lockit.LIBCPMT ref: 0092765C
                                            • Part of subcall function 0092764B: std::_Lockit::~_Lockit.LIBCPMT ref: 009276CD
                                          • __Getcoll.LIBCPMT ref: 0092DF94
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                            • Part of subcall function 009184C0: LocalAlloc.KERNEL32(00000040,00000000,0093839D,00000000,72116C99,?,00000000,?,00000000,?,0095CB8D,000000FF,?,009117D5,00000000,0095D3BA), ref: 009184C6
                                            • Part of subcall function 0091B9E0: __Getctype.LIBCPMT ref: 0091B9EB
                                            • Part of subcall function 00927A5E: __EH_prolog3.LIBCMT ref: 00927A65
                                            • Part of subcall function 00927A5E: std::_Lockit::_Lockit.LIBCPMT ref: 00927A6F
                                            • Part of subcall function 00927A5E: std::_Lockit::~_Lockit.LIBCPMT ref: 00927AE0
                                            • Part of subcall function 00927B88: __EH_prolog3.LIBCMT ref: 00927B8F
                                            • Part of subcall function 00927B88: std::_Lockit::_Lockit.LIBCPMT ref: 00927B99
                                            • Part of subcall function 00927B88: std::_Lockit::~_Lockit.LIBCPMT ref: 00927C0A
                                            • Part of subcall function 00927DDC: __EH_prolog3.LIBCMT ref: 00927DE3
                                            • Part of subcall function 00927DDC: std::_Lockit::_Lockit.LIBCPMT ref: 00927DED
                                            • Part of subcall function 00927DDC: std::_Lockit::~_Lockit.LIBCPMT ref: 00927E5E
                                            • Part of subcall function 00927D47: __EH_prolog3.LIBCMT ref: 00927D4E
                                            • Part of subcall function 00927D47: std::_Lockit::_Lockit.LIBCPMT ref: 00927D58
                                            • Part of subcall function 00927D47: std::_Lockit::~_Lockit.LIBCPMT ref: 00927DC9
                                            • Part of subcall function 00924403: __EH_prolog3.LIBCMT ref: 0092440A
                                            • Part of subcall function 00924403: std::_Lockit::_Lockit.LIBCPMT ref: 00924414
                                            • Part of subcall function 00924403: std::_Lockit::~_Lockit.LIBCPMT ref: 009244BB
                                          • codecvt.LIBCPMT ref: 0092E27F
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
                                          • String ID:
                                          • API String ID: 2252558201-0
                                          • Opcode ID: d3d71bb16d7f72a569a685e836e679c5406cbb1be7fd5e7a5797654f4f7197d2
                                          • Instruction ID: a6cd69fc979b47ba7e1e030eeeb81b0eafddbf74589a313a597c824075f468f1
                                          • Opcode Fuzzy Hash: d3d71bb16d7f72a569a685e836e679c5406cbb1be7fd5e7a5797654f4f7197d2
                                          • Instruction Fuzzy Hash: 16E1447190532A9BDB25AF64AC427BF7EE9EF81350F10482DF8586B299EF708D1087D1
                                          Function 0094C382 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                          Download Yara Rule
                                          APIs
                                          • __alloca_probe_16.LIBCMT ref: 0094C409
                                          • __alloca_probe_16.LIBCMT ref: 0094C4CA
                                          • __freea.LIBCMT ref: 0094C531
                                            • Part of subcall function 0094B127: HeapAlloc.KERNEL32(00000000,?,?,?,0094AAAA,?,00000000,?,0093C282,?,?,?,?,?,?,00911668), ref: 0094B159
                                          • __freea.LIBCMT ref: 0094C546
                                          • __freea.LIBCMT ref: 0094C556
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16$AllocHeap
                                          • String ID:
                                          • API String ID: 1096550386-0
                                          • Opcode ID: 5438bc602401f9e67e721771b50a8586bd29f9dab0150ad53e8acd975d12abd5
                                          • Instruction ID: 3dfd2cf1e862ba335d18f07cd6810fef2d0af1e084d7c179ddd54e450719f2b4
                                          • Opcode Fuzzy Hash: 5438bc602401f9e67e721771b50a8586bd29f9dab0150ad53e8acd975d12abd5
                                          • Instruction Fuzzy Hash: 0351CFF2606206AFEF649FA4CC81EBF76ADEF84354B154528FD08E6151EB35EC1087A0
                                          Function 0091C590 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091C5BD
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091C5E0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091C608
                                          • std::_Facet_Register.LIBCPMT ref: 0091C67D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091C6A7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: 52b89abc7e1ded603951c0d137fac0e94f8117710618572d0170e7b7d98aa7bd
                                          • Instruction ID: ca42070427ba3211bdcc9b0a901e828a49edd4cf6d6a1798bb1f7e1961aa0982
                                          • Opcode Fuzzy Hash: 52b89abc7e1ded603951c0d137fac0e94f8117710618572d0170e7b7d98aa7bd
                                          • Instruction Fuzzy Hash: 0741D3B2A0425EDFCB10CF58D844BEEBBB8EF44350F194159E81967391D730AE84CB91
                                          Function 0091EAF0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091EB1D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091EB40
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091EB68
                                          • std::_Facet_Register.LIBCPMT ref: 0091EBDD
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091EC07
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: 1bd050b5cbf314df93720f1bd59ddb4c0e03629088942b5112d8c9023b888dfd
                                          • Instruction ID: cc0ca72d3f3ea63203af2edbd8be1758af31ea6ffb038038ba69b530ac51af22
                                          • Opcode Fuzzy Hash: 1bd050b5cbf314df93720f1bd59ddb4c0e03629088942b5112d8c9023b888dfd
                                          • Instruction Fuzzy Hash: A841F171A1466DDFCB10CF58D841BAEBBB8FB44720F154259E81567391D730AE84CBD1
                                          Function 0091EC30 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091EC5D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091EC80
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091ECA8
                                          • std::_Facet_Register.LIBCPMT ref: 0091ED1D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091ED47
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: 3df25a9626b2c8aad5de4d96224fdcf82438b12fb4387218ef1ed784c998cc17
                                          • Instruction ID: 1e98fa5bb47fc619bfe47e098af8736d4c840d470122c3326e4ffb05167e39d6
                                          • Opcode Fuzzy Hash: 3df25a9626b2c8aad5de4d96224fdcf82438b12fb4387218ef1ed784c998cc17
                                          • Instruction Fuzzy Hash: 3E41EAB2A00669DFCB15CF58E840BAEBBB8FB40720F154259E804A7291D730AE84CBD1
                                          Function 0091ED70 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091ED9D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091EDC0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091EDE8
                                          • std::_Facet_Register.LIBCPMT ref: 0091EE5D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0091EE87
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: e8dd0e50f6be96bb63d315d5f670dda69661aa99dd1d733c097e48409e03e460
                                          • Instruction ID: 59006b1a7743f8e2a1e6162c605f41c7d361c2ea82ae62aa8f60bb23ce04c542
                                          • Opcode Fuzzy Hash: e8dd0e50f6be96bb63d315d5f670dda69661aa99dd1d733c097e48409e03e460
                                          • Instruction Fuzzy Hash: 33412E72A10619DFCB11CF58D880BEEBBB8FB44324F154659E805A7391D730AE84CBD1
                                          Function 00917C30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000010,00000010,?,00917912,?,?), ref: 00917C37
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                          • API String ID: 1452528299-1782174991
                                          • Opcode ID: eb39794b0ecf44fe38b3020a4ffef884b34b04b65bd9b75a541fb2ff8b6d369e
                                          • Instruction ID: 9d6a5d22e37eed735973e4dd78e175986468460a7ad7fd8035463864cac99b6d
                                          • Opcode Fuzzy Hash: eb39794b0ecf44fe38b3020a4ffef884b34b04b65bd9b75a541fb2ff8b6d369e
                                          • Instruction Fuzzy Hash: 55215749B2026686CB701FBD84003B6E2F4EF54745B65186FE8C9D73A0FB6A8CC28390
                                          Function 00926FF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Maklocstr$Maklocchr
                                          • String ID:
                                          • API String ID: 2020259771-0
                                          • Opcode ID: 4302563364c19953bc0c68b1fad74af263aa304d067dfc3a28cba09c61b538a4
                                          • Instruction ID: 8130a72fb9b68cec8bd0a0578b7851ccf4564d1376c6baced26df48006978b72
                                          • Opcode Fuzzy Hash: 4302563364c19953bc0c68b1fad74af263aa304d067dfc3a28cba09c61b538a4
                                          • Instruction Fuzzy Hash: 16119AB1548750BBE320DBE5A881B12F7ECBB48310F04091AF2999BA41D265F85487A4
                                          Function 00922823 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0092282A
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00922834
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • numpunct.LIBCPMT ref: 0092286E
                                          • std::_Facet_Register.LIBCPMT ref: 00922885
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009228A5
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                          • String ID:
                                          • API String ID: 743221004-0
                                          • Opcode ID: 53b9c6a6366398257f10fbb84f942c8fc2fcf778451972c128793133880f1876
                                          • Instruction ID: b2c16d2772396f72c52f5f009b3aa0e434ea9faeb0e25d754d9f1688025b85ea
                                          • Opcode Fuzzy Hash: 53b9c6a6366398257f10fbb84f942c8fc2fcf778451972c128793133880f1876
                                          • Instruction Fuzzy Hash: EA110436900229ABCF14EB64E8517BE77B5AFC0710F290009F411AB395DF74DE01CB82
                                          Function 00928030 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00928037
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00928041
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • numpunct.LIBCPMT ref: 0092807B
                                          • std::_Facet_Register.LIBCPMT ref: 00928092
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009280B2
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                          • String ID:
                                          • API String ID: 743221004-0
                                          • Opcode ID: fb9bc77705ef5c3aff45602bea2b1094b15e5ab42987c502e5e1532dc53cc3ed
                                          • Instruction ID: 07f017b8fbc28543f2a6caf4082e2311e5440e07a524fcd9ec2cd911ce539408
                                          • Opcode Fuzzy Hash: fb9bc77705ef5c3aff45602bea2b1094b15e5ab42987c502e5e1532dc53cc3ed
                                          • Instruction Fuzzy Hash: 6701D2379412299BCB14EBA4E8467EEB7B5AFC4310F254409F5146B2D2DF349E45CF80
                                          Function 009275B6 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009275BD
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009275C7
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • codecvt.LIBCPMT ref: 00927601
                                          • std::_Facet_Register.LIBCPMT ref: 00927618
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927638
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID:
                                          • API String ID: 712880209-0
                                          • Opcode ID: f53a2826c1207c990c438f9a1360bc5326ab8798b13e93a4959c632ceca30bad
                                          • Instruction ID: 51ac92917b1b82500b2c3cfe0e51bb533f4ee1822eecf4bd9818756c972c0394
                                          • Opcode Fuzzy Hash: f53a2826c1207c990c438f9a1360bc5326ab8798b13e93a4959c632ceca30bad
                                          • Instruction Fuzzy Hash: DA01D67690472DDBCF14EBA8E8057AEB7B5AFC4310F150409F4156B296DF349E41CB92
                                          Function 009276E0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009276E7
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009276F1
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • collate.LIBCPMT ref: 0092772B
                                          • std::_Facet_Register.LIBCPMT ref: 00927742
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927762
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID:
                                          • API String ID: 1007100420-0
                                          • Opcode ID: 06f5d98cafcac135dc4612fc4675dc1edcdbcf610fe3cccc5c1cea1d7584dd59
                                          • Instruction ID: 512364db98a7a1c30f63b88adee1e7eecf758e11ac6800b4add3eb25d4d016e1
                                          • Opcode Fuzzy Hash: 06f5d98cafcac135dc4612fc4675dc1edcdbcf610fe3cccc5c1cea1d7584dd59
                                          • Instruction Fuzzy Hash: C901D6369082299BCB15EBA8E8057AEB7B5AFC4710F250509F41567296DF349E01DBC0
                                          Function 0092764B Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927652
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0092765C
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • codecvt.LIBCPMT ref: 00927696
                                          • std::_Facet_Register.LIBCPMT ref: 009276AD
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009276CD
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID:
                                          • API String ID: 712880209-0
                                          • Opcode ID: ea4db7be5c50309f10d1d93ec2308d792ac4b47bbb345060655b06002306a5eb
                                          • Instruction ID: 83ac6dcaba50c64880faff16be09eddf0123e357afcf4e822a0d1cc74d57b42d
                                          • Opcode Fuzzy Hash: ea4db7be5c50309f10d1d93ec2308d792ac4b47bbb345060655b06002306a5eb
                                          • Instruction Fuzzy Hash: E901D272A14A299BCF04EBA8E8057BEB7B5AFC4311F254409F4146B292DF34AE419BC5
                                          Function 00922664 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0092266B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00922675
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • codecvt.LIBCPMT ref: 009226AF
                                          • std::_Facet_Register.LIBCPMT ref: 009226C6
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009226E6
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID:
                                          • API String ID: 712880209-0
                                          • Opcode ID: fb3b4508b75364d56647d516126437d4f2398e9d46ea195afd50b60f9464caa6
                                          • Instruction ID: 91f23c2a70b1bff4937a713532ad5a98e45b8dc0e116e71037abce285b9a0a3c
                                          • Opcode Fuzzy Hash: fb3b4508b75364d56647d516126437d4f2398e9d46ea195afd50b60f9464caa6
                                          • Instruction Fuzzy Hash: 8C01D236914229ABCB05EB64E805BBE7BB5AFC4310F29040AF414AB2D2DF749E41DB81
                                          Function 00927775 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0092777C
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927786
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • collate.LIBCPMT ref: 009277C0
                                          • std::_Facet_Register.LIBCPMT ref: 009277D7
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009277F7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID:
                                          • API String ID: 1007100420-0
                                          • Opcode ID: 8e4549177ded13c14555d9052fd64bb915851cfed185e9f40bce201f3c72f18d
                                          • Instruction ID: 77c31148f8bd8e43344d7b702273cfebdcfe211404fd964cc1b7512f210ed6ab
                                          • Opcode Fuzzy Hash: 8e4549177ded13c14555d9052fd64bb915851cfed185e9f40bce201f3c72f18d
                                          • Instruction Fuzzy Hash: 70010072948229DBCB04EBA4E8057AEB7B5AFC4310F250409F4246B2C2CF309E01CB80
                                          Function 0092789F Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009278A6
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009278B0
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • messages.LIBCPMT ref: 009278EA
                                          • std::_Facet_Register.LIBCPMT ref: 00927901
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927921
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID:
                                          • API String ID: 2750803064-0
                                          • Opcode ID: 03a1a529a3b44028e9eb569d7c3d961217b8bc3bbbe11a2130cbcbb5aa56d284
                                          • Instruction ID: 1d5bc617f54afd0f1580f4383e72829a04a084f45afdd4aa0b6b65490a211f18
                                          • Opcode Fuzzy Hash: 03a1a529a3b44028e9eb569d7c3d961217b8bc3bbbe11a2130cbcbb5aa56d284
                                          • Instruction Fuzzy Hash: 6501D2369043299BCB14FBA8E8467BEB7B6AFC4310F250409F4146B292DF749E41CB80
                                          Function 009338C1 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009338C8
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009338D2
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • collate.LIBCPMT ref: 0093390C
                                          • std::_Facet_Register.LIBCPMT ref: 00933923
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00933943
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID:
                                          • API String ID: 1007100420-0
                                          • Opcode ID: 4141d4cf0b5d40a64e65db1cefc6675d8bf11f3b44f490d17a9ccac4bd63a818
                                          • Instruction ID: 8617e6e3f902862c2681dbf58251df8f65c8941509b4b7c2e38648da09fc3e03
                                          • Opcode Fuzzy Hash: 4141d4cf0b5d40a64e65db1cefc6675d8bf11f3b44f490d17a9ccac4bd63a818
                                          • Instruction Fuzzy Hash: EF01D272984219DBCB15EB64D8057AEBBB9AFC4310F264409F4246B392DF749F418B85
                                          Function 0092780A Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927811
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0092781B
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • ctype.LIBCPMT ref: 00927855
                                          • std::_Facet_Register.LIBCPMT ref: 0092786C
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0092788C
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                          • String ID:
                                          • API String ID: 83828444-0
                                          • Opcode ID: fee463748b5bff219f2be8d4a8970cc9f0080b0081db7ef758745d9097f6510e
                                          • Instruction ID: f89a34560daa490b7f8a9f29848a9e53b7480838c278f97913c8915ff6a06c04
                                          • Opcode Fuzzy Hash: fee463748b5bff219f2be8d4a8970cc9f0080b0081db7ef758745d9097f6510e
                                          • Instruction Fuzzy Hash: 8601D676908229DBCB14EBA4E8497BEB7B5AFC4310F250509F4156B2D6DF349E01CB81
                                          Function 00927934 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0092793B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927945
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • messages.LIBCPMT ref: 0092797F
                                          • std::_Facet_Register.LIBCPMT ref: 00927996
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009279B6
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID:
                                          • API String ID: 2750803064-0
                                          • Opcode ID: c837da01a0f49996758af14a19971f660db2056c7330cf8363fc4df5c3e9d61d
                                          • Instruction ID: 0f55847cd80380a85b3ffe6145e43244cb83d8de391d20d06faf753614062964
                                          • Opcode Fuzzy Hash: c837da01a0f49996758af14a19971f660db2056c7330cf8363fc4df5c3e9d61d
                                          • Instruction Fuzzy Hash: F401D2769443299BCB04EBA4E906BBEB7B6AFC4310F250409F4147B2D2DF749E41CB91
                                          Function 00933956 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0093395D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00933967
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • messages.LIBCPMT ref: 009339A1
                                          • std::_Facet_Register.LIBCPMT ref: 009339B8
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009339D8
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID:
                                          • API String ID: 2750803064-0
                                          • Opcode ID: ff2ee6246b22cc69269cd9e0d162a1ce9328718679baff3e4eb719e0b33d115d
                                          • Instruction ID: 6044a9182ef798a596a6a4a493fe415b69016bf42293e1fd854846c431f463b8
                                          • Opcode Fuzzy Hash: ff2ee6246b22cc69269cd9e0d162a1ce9328718679baff3e4eb719e0b33d115d
                                          • Instruction Fuzzy Hash: 3801D232A44219DBCB05EB64D8067AE77BAEFC4320F254409F4146B292DF749F41DB81
                                          Function 00933BAA Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00933BB1
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00933BBB
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • moneypunct.LIBCPMT ref: 00933BF5
                                          • std::_Facet_Register.LIBCPMT ref: 00933C0C
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00933C2C
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: 78e55922a099f17acb3b95fadd1d6ba6bb890b9ddd319bbe870df2717d5394cf
                                          • Instruction ID: 638633f194f575025c410eb9cd34cd0318d432d114e9b7889c7cd97198a5d81f
                                          • Opcode Fuzzy Hash: 78e55922a099f17acb3b95fadd1d6ba6bb890b9ddd319bbe870df2717d5394cf
                                          • Instruction Fuzzy Hash: 9101D27698422ADBCF15EB64D9067BEB7B5AFC4310F254509F814AB292DF349E01CB80
                                          Function 00933B15 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00933B1C
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00933B26
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • moneypunct.LIBCPMT ref: 00933B60
                                          • std::_Facet_Register.LIBCPMT ref: 00933B77
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00933B97
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: ec0dbfb0ae5616389b48acbf9a2221dc03df19b3b9597407a51016fc3fbc6da0
                                          • Instruction ID: 59a8084b8286e31937a1d3ac517765cf88c734e27d0447ddd3a6ab0abc48b5fe
                                          • Opcode Fuzzy Hash: ec0dbfb0ae5616389b48acbf9a2221dc03df19b3b9597407a51016fc3fbc6da0
                                          • Instruction Fuzzy Hash: D401C0729502299BCF15EB64D8067BEB7B6AFC4310F264409F418AB292DF349E418F80
                                          Function 00927CB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927CB9
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927CC3
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • moneypunct.LIBCPMT ref: 00927CFD
                                          • std::_Facet_Register.LIBCPMT ref: 00927D14
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927D34
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: e94c72ed8b23e20d5cce6f4f90b2b6cb789db2acf367a4e8898d1964b6f717e4
                                          • Instruction ID: 946c163688a2a51787abb2c434d5b9fb002028c8f76f9c33e707a6ee2e66949b
                                          • Opcode Fuzzy Hash: e94c72ed8b23e20d5cce6f4f90b2b6cb789db2acf367a4e8898d1964b6f717e4
                                          • Instruction Fuzzy Hash: 4301D2729086299BCB04FBA4E8057BEB7B5AFC4310F250909F8157B3D6DF349E058B90
                                          Function 00927C1D Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927C24
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927C2E
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • moneypunct.LIBCPMT ref: 00927C68
                                          • std::_Facet_Register.LIBCPMT ref: 00927C7F
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927C9F
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: 3832d745a8a833dcd6dc78a70760c25f0cec0d3d788e39a6c059698f7484abb2
                                          • Instruction ID: 188c4a4d29c3cd390490936dededc67b478d7006c2dd4b3e96a7df2945959365
                                          • Opcode Fuzzy Hash: 3832d745a8a833dcd6dc78a70760c25f0cec0d3d788e39a6c059698f7484abb2
                                          • Instruction Fuzzy Hash: 5601D232944229DBCB14EBB4E9457BEBBB5AFC4310F250409F4246B392DF34AE058B80
                                          Function 00927DDC Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927DE3
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927DED
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • moneypunct.LIBCPMT ref: 00927E27
                                          • std::_Facet_Register.LIBCPMT ref: 00927E3E
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927E5E
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: 8f2633833428f7907e52f64bc632f5799c4d5960ccb5b4f9f19cf2b386f40479
                                          • Instruction ID: d3c23bf7de78261d4811298bc407ddb8283e9e78977558aae554de3fe54385b2
                                          • Opcode Fuzzy Hash: 8f2633833428f7907e52f64bc632f5799c4d5960ccb5b4f9f19cf2b386f40479
                                          • Instruction Fuzzy Hash: FB01D272A08629DBCB14EBA4E8057BEB7B5AFC4710F260449F5156B2E2DF349E01DB90
                                          Function 00927D47 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927D4E
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927D58
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • moneypunct.LIBCPMT ref: 00927D92
                                          • std::_Facet_Register.LIBCPMT ref: 00927DA9
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927DC9
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: ef30b4075904ea9bc0f8faafeee1d576e4e7a05ea39f258a9912820ac8cc9471
                                          • Instruction ID: b6a668f0c59090ce40371bb87f69a3ef98d5f8652bbffa588802db1898442b48
                                          • Opcode Fuzzy Hash: ef30b4075904ea9bc0f8faafeee1d576e4e7a05ea39f258a9912820ac8cc9471
                                          • Instruction Fuzzy Hash: 3A01D236A046299BCB14EBA4E905BBEB7B6AFC4310F250409F4156B2D6DF349E01DBC0
                                          Function 0093782B Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(00974AF8,?,?,00912627,0097571C,0095CCC0), ref: 00937835
                                          • LeaveCriticalSection.KERNEL32(00974AF8,?,?,00912627,0097571C,0095CCC0), ref: 00937868
                                          • RtlWakeAllConditionVariable.NTDLL ref: 009378DF
                                          • SetEvent.KERNEL32(?,00912627,0097571C,0095CCC0), ref: 009378E9
                                          • ResetEvent.KERNEL32(?,00912627,0097571C,0095CCC0), ref: 009378F5
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                          • String ID:
                                          • API String ID: 3916383385-0
                                          • Opcode ID: d887d3b0de886afdcf9174e9e240cdf95385207af9e1ca37c305f8d2e3959b3d
                                          • Instruction ID: 46a00e5547ae9d5e5b48199206f71d6310d408fe2b257581cbab29fc506a925f
                                          • Opcode Fuzzy Hash: d887d3b0de886afdcf9174e9e240cdf95385207af9e1ca37c305f8d2e3959b3d
                                          • Instruction Fuzzy Hash: 90018172A6E611DBC728AF18FC48A987B64FB09312B014029E80983721CB706D41FFA4
                                          Function 00916090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 009160F4
                                          • GetLastError.KERNEL32 ref: 00916190
                                            • Part of subcall function 00911FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,0095938D,000000FF,?,80070057,?,?,00000000,00000010,00911B09,?), ref: 00912040
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,0096B2DC,00000001,00000000), ref: 0091614E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
                                          • String ID: ntdll.dll
                                          • API String ID: 4113295189-2227199552
                                          • Opcode ID: 3b30533c1469b20f8b66b26903cb6f1c1f3044de9860223f5db93458763e7b37
                                          • Instruction ID: ec8f0e1111466c93a5811c14967b097bb37e87a194b24643ed0aa0c43810a692
                                          • Opcode Fuzzy Hash: 3b30533c1469b20f8b66b26903cb6f1c1f3044de9860223f5db93458763e7b37
                                          • Instruction Fuzzy Hash: B531AE71A04609ABD720DF69CC44BEEB7F9BF44710F108A19E429D72C1EB70A944CB90
                                          Function 0092D2C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0092D2C9
                                            • Part of subcall function 00926FF9: _Maklocstr.LIBCPMT ref: 00927019
                                            • Part of subcall function 00926FF9: _Maklocstr.LIBCPMT ref: 00927036
                                            • Part of subcall function 00926FF9: _Maklocstr.LIBCPMT ref: 00927053
                                            • Part of subcall function 00926FF9: _Maklocchr.LIBCPMT ref: 00927065
                                            • Part of subcall function 00926FF9: _Maklocchr.LIBCPMT ref: 00927078
                                          • _Mpunct.LIBCPMT ref: 0092D356
                                          • _Mpunct.LIBCPMT ref: 0092D370
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                          • String ID: $+xv
                                          • API String ID: 2939335142-1686923651
                                          • Opcode ID: 49bfb9bb93080ec0108aa81be5f259b809add6400b64b46a584188ce260f68b8
                                          • Instruction ID: 9253f684d189856c0dc83ce10e87492a742f1bb5688b4ddc5c996667b7fa1243
                                          • Opcode Fuzzy Hash: 49bfb9bb93080ec0108aa81be5f259b809add6400b64b46a584188ce260f68b8
                                          • Instruction Fuzzy Hash: 1A21B0B1904B66AEDB21DF74D490B7BBEF8AB49300F040A1AE499C7A41D734EA01CB90
                                          Function 00934DF4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Mpunct$H_prolog3
                                          • String ID: $+xv
                                          • API String ID: 4281374311-1686923651
                                          • Opcode ID: acade55b447a223cb29fc8c80fc15b4f99b6eb97b5fb148382ac47e777118d89
                                          • Instruction ID: 76f7d911181540cdd3cbd5ba8148663a0492a6606e188d985aca89d04ba6f595
                                          • Opcode Fuzzy Hash: acade55b447a223cb29fc8c80fc15b4f99b6eb97b5fb148382ac47e777118d89
                                          • Instruction Fuzzy Hash: E521B0B1904B96AED721DF74C490B3BBEF8BB49300F04491AE069C7A01D734E601CF90
                                          Function 00911D70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadResource.KERNEL32(00000000,00000000,72116C99,00000001,00000000,?,00000000,00959360,000000FF,?,00911D1C,00000010,?,?,?,-00000010), ref: 00911D9B
                                          • LockResource.KERNEL32(00000000,?,00911D1C,00000010,?,?,?,-00000010,00959340,000000FF,?,0091202C,?,00000000,0095938D,000000FF), ref: 00911DA6
                                          • SizeofResource.KERNEL32(00000000,00000000,?,00911D1C,00000010,?,?,?,-00000010,00959340,000000FF,?,0091202C,?,00000000,0095938D), ref: 00911DB4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Resource$LoadLockSizeof
                                          • String ID: @"vpD$v
                                          • API String ID: 2853612939-3189754618
                                          • Opcode ID: d2eda961b825e1ebd0841ea45a806a141c2cab4d7deb5564324ec4bf69886e35
                                          • Instruction ID: 55ac57e94536505e76ad9e301d6948be5d089341dd1c2aa067e8595b0b16196c
                                          • Opcode Fuzzy Hash: d2eda961b825e1ebd0841ea45a806a141c2cab4d7deb5564324ec4bf69886e35
                                          • Instruction Fuzzy Hash: 3911EB36B04A59ABD7349F1AEC45BA6F7ECE785711F01492EED16D3280E6359C408690
                                          Function 0093C012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0093BFC3,00000000,?,00974EA4,?,?,?,0093C166,00000004,InitializeCriticalSectionEx,0095F92C,InitializeCriticalSectionEx), ref: 0093C01F
                                          • GetLastError.KERNEL32(?,0093BFC3,00000000,?,00974EA4,?,?,?,0093C166,00000004,InitializeCriticalSectionEx,0095F92C,InitializeCriticalSectionEx,00000000,?,0093BF1D), ref: 0093C029
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0093C051
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID: api-ms-
                                          • API String ID: 3177248105-2084034818
                                          • Opcode ID: e27c4d4cdfcf516a7e1b1e6eede0aabd2d2138f900488099f8e5db9d2d38d169
                                          • Instruction ID: 1cbd475904aeabf8fc0e2aed979ee15226b11ab80965717a0405be3a71e63636
                                          • Opcode Fuzzy Hash: e27c4d4cdfcf516a7e1b1e6eede0aabd2d2138f900488099f8e5db9d2d38d169
                                          • Instruction Fuzzy Hash: 95E01A70289708B7EF201F62EC06B593B599F40B56F204020FA0CE84E0DB61A955ABC5
                                          Function 0091E350 Relevance: 6.4, APIs: 4, Instructions: 426COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: FreeLocal_strcspn
                                          • String ID:
                                          • API String ID: 2585785616-0
                                          • Opcode ID: 65282d3dc27204265f5e741a31608cd4614d91430a9dbafcf7ecb59c206291e8
                                          • Instruction ID: 98dc802e9e42439c9cbb4f9eb2ce280c4e091b2e31b732b4a1757c3bba149a2e
                                          • Opcode Fuzzy Hash: 65282d3dc27204265f5e741a31608cd4614d91430a9dbafcf7ecb59c206291e8
                                          • Instruction Fuzzy Hash: 86F14775A0024DDFDF14CFA8C984AEEBBBAFF88304F144169E815EB251D731AA85CB50
                                          Function 0095738B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleOutputCP.KERNEL32(72116C99,?,00000000,?), ref: 009573EE
                                            • Part of subcall function 0095002B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0094C527,?,00000000,-00000008), ref: 009500D7
                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00957649
                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00957691
                                          • GetLastError.KERNEL32 ref: 00957734
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                          • String ID:
                                          • API String ID: 2112829910-0
                                          • Opcode ID: 1af0c953730874619050d5305a267a1511b42d24dd302499ca984a725a63db8a
                                          • Instruction ID: 09d7d013723091a05a2acda9d15fd61293183525c922365d2fd3c4a639ee0f5d
                                          • Opcode Fuzzy Hash: 1af0c953730874619050d5305a267a1511b42d24dd302499ca984a725a63db8a
                                          • Instruction Fuzzy Hash: 2BD17AB5D046589FCB11CFE9E880AADFBB9FF48301F24452AE855E7351D730AA46CB50
                                          Function 00928872 Relevance: 6.3, APIs: 4, Instructions: 313COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: _strcspn$H_prolog3_ctype
                                          • String ID:
                                          • API String ID: 838279627-0
                                          • Opcode ID: eb88d770b448b9dbefd0f7f6102a1eb67995d6e7940789eb495e9c3e60e37bc9
                                          • Instruction ID: b6df62d8f55be9dbfb906923f3ed194701069a1cc663016809e3d5613854fb81
                                          • Opcode Fuzzy Hash: eb88d770b448b9dbefd0f7f6102a1eb67995d6e7940789eb495e9c3e60e37bc9
                                          • Instruction Fuzzy Hash: 32C17B71D01219DFDF14DF98D981AEEBBB9FF88300F14401AE805AB259DB34AE45CBA1
                                          Function 00922A16 Relevance: 6.3, APIs: 4, Instructions: 310COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: _strcspn$H_prolog3_ctype
                                          • String ID:
                                          • API String ID: 838279627-0
                                          • Opcode ID: d70da0bb05536eba52e42188a29e4662aae9081a4cc5d4bfeb2960652e3a760e
                                          • Instruction ID: ad559a70a10831773b3bd0f3146f566992c643d5a5cce22e3d85d370d9e9bcea
                                          • Opcode Fuzzy Hash: d70da0bb05536eba52e42188a29e4662aae9081a4cc5d4bfeb2960652e3a760e
                                          • Instruction Fuzzy Hash: 0FC1AC7190021DAFDF15DFA8D980AEEBBB9FF49310F144419E805AB259D730AE45CFA1
                                          Function 00934F20 Relevance: 6.3, APIs: 4, Instructions: 277COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00934F27
                                          • collate.LIBCPMT ref: 00934F33
                                            • Part of subcall function 00933E70: __EH_prolog3_GS.LIBCMT ref: 00933E77
                                            • Part of subcall function 00933E70: __Getcoll.LIBCPMT ref: 00933EDB
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • __Getcoll.LIBCPMT ref: 00934F76
                                            • Part of subcall function 00933CD4: __EH_prolog3.LIBCMT ref: 00933CDB
                                            • Part of subcall function 00933CD4: std::_Lockit::_Lockit.LIBCPMT ref: 00933CE5
                                            • Part of subcall function 00933CD4: std::_Lockit::~_Lockit.LIBCPMT ref: 00933D56
                                            • Part of subcall function 00924403: __EH_prolog3.LIBCMT ref: 0092440A
                                            • Part of subcall function 00924403: std::_Lockit::_Lockit.LIBCPMT ref: 00924414
                                            • Part of subcall function 00924403: std::_Lockit::~_Lockit.LIBCPMT ref: 009244BB
                                          • numpunct.LIBCPMT ref: 009351A6
                                            • Part of subcall function 009184C0: LocalAlloc.KERNEL32(00000040,00000000,0093839D,00000000,72116C99,?,00000000,?,00000000,?,0095CB8D,000000FF,?,009117D5,00000000,0095D3BA), ref: 009184C6
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
                                          • String ID:
                                          • API String ID: 2732324234-0
                                          • Opcode ID: 6d6e90c06cde6fe68212093900293b7e75834ebcb0d923c8864af0df3514bebc
                                          • Instruction ID: bb34764188841383cbc30400acba3d6675898ae0e57b675d421adb03adb9ea10
                                          • Opcode Fuzzy Hash: 6d6e90c06cde6fe68212093900293b7e75834ebcb0d923c8864af0df3514bebc
                                          • Instruction Fuzzy Hash: 00914871D057159BD724ABB48802B7F7AE8EFC5350F12881DF85967291DF758D008BE1
                                          Function 0093AFD5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: AdjustPointer
                                          • String ID:
                                          • API String ID: 1740715915-0
                                          • Opcode ID: 15da53223d78086a4718fe0e451236234bc652e8d69ba952d69047d57fb6f9b9
                                          • Instruction ID: 5220c25a2a946952fd9097e7aa4c06b90ee28b3b4f82898bbd614193e3f2e927
                                          • Opcode Fuzzy Hash: 15da53223d78086a4718fe0e451236234bc652e8d69ba952d69047d57fb6f9b9
                                          • Instruction Fuzzy Hash: 3E51DE72609706AFEB298F54D851BBB77A8EF80310F14452DEE1687295EB31EC80CF90
                                          Function 00947B18 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f38f279bba05ce738b0494283641e0575b382fbedf4718d08eaf919f2461436
                                          • Instruction ID: 4419da9ea4e7800a5218f4f9ab6eb2077a2261669da6e90bd9ffb039220706da
                                          • Opcode Fuzzy Hash: 5f38f279bba05ce738b0494283641e0575b382fbedf4718d08eaf919f2461436
                                          • Instruction Fuzzy Hash: A221817160860DAF9B20AFB1CC81E6BF7ADEF80369B108925F915D7251E730EC408BA0
                                          Function 00919020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,00000000,76C15490,00918B3A,00000000,?,?,?,?,?,?,?,00000000,0095A285,000000FF), ref: 00919027
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                          • API String ID: 1452528299-1781106413
                                          • Opcode ID: 13988545fbe5b5e4863058912e657af0b4d49771a377183dea52ef0e48ae6d67
                                          • Instruction ID: 58f24eff742bbd180faa5fe82569ac08e2710143da734b44e3bcb3f5c37275da
                                          • Opcode Fuzzy Hash: 13988545fbe5b5e4863058912e657af0b4d49771a377183dea52ef0e48ae6d67
                                          • Instruction Fuzzy Hash: 57218B49B2026586CB345F2C84113BAA2F4EF58755F64046FE8CAC7390FB798CC2D391
                                          Function 00924403 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0092440A
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00924414
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009244BB
                                          • Concurrency::cancel_current_task.LIBCPMT ref: 009244C6
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                          • String ID:
                                          • API String ID: 4244582100-0
                                          • Opcode ID: 3de0227ca44f887363ddfef8ba9eb5f1f375f2a68c3f073bf76f06aed351f471
                                          • Instruction ID: 5d11a93c225f4ee3a2eaeed5307f96865a51074f9a58da91303dfd4b2529801f
                                          • Opcode Fuzzy Hash: 3de0227ca44f887363ddfef8ba9eb5f1f375f2a68c3f073bf76f06aed351f471
                                          • Instruction Fuzzy Hash: DD214A34A10626AFCB14EF14D891B6DB7A5FF89710F018519E9269B3A5CF70ED10CF80
                                          Function 00921400 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,72116C99), ref: 0092143C
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0092145C
                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0092148D
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 009214A6
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandlePointerWrite
                                          • String ID:
                                          • API String ID: 3604237281-0
                                          • Opcode ID: c1939f71c035fb76164ba78c569d019e86a728a3d07be136c73ee94b78e66eb2
                                          • Instruction ID: 270685a74aaf4bc3e493424ee857ef7339f7ed4ba2dc1c7b670fb77fbab1be9b
                                          • Opcode Fuzzy Hash: c1939f71c035fb76164ba78c569d019e86a728a3d07be136c73ee94b78e66eb2
                                          • Instruction Fuzzy Hash: 8E21B170955314ABD720DF14DC0AFAABBB8FB05B24F10421AF504A72D0D7B46A05C794
                                          Function 009280C5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009280CC
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009280D6
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00928127
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00928147
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: ee89abc81ba1e139d09c9417f6295fc05cd82d84f23c942b8e5737541512269b
                                          • Instruction ID: 5eb0989c9d1172f044633b892d7c1113080262806ae3cfb671bd74c1ac0cb816
                                          • Opcode Fuzzy Hash: ee89abc81ba1e139d09c9417f6295fc05cd82d84f23c942b8e5737541512269b
                                          • Instruction Fuzzy Hash: BC01D2729052299BCF04EB64E8467AEB7B5AFC4310F254409F4246B2D2DF349E46CB80
                                          Function 009281EF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009281F6
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00928200
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00928251
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00928271
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 43e2e0aed36fa283099c1d57bd0ec75e29722c23928f9da987f2adaea4b3eb6e
                                          • Instruction ID: d237cc1f3e47a34e4f7564344250ce53066ff812c3e1335cd7d4c374d8a6c1a1
                                          • Opcode Fuzzy Hash: 43e2e0aed36fa283099c1d57bd0ec75e29722c23928f9da987f2adaea4b3eb6e
                                          • Instruction Fuzzy Hash: 0C01D276904629DBCB15EBA4E9057BEB7B5AFC4350F250409F8246B296DF349E01CB90
                                          Function 0092815A Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00928161
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0092816B
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 009281BC
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 009281DC
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: cd42e552c4ea07134f0004d75e4039330e97c338aeeadcd43c88a6ad033998c0
                                          • Instruction ID: 1cf387b55d0f8d168ece758898365cd005857f6845ab0f779b7af136ab17241c
                                          • Opcode Fuzzy Hash: cd42e552c4ea07134f0004d75e4039330e97c338aeeadcd43c88a6ad033998c0
                                          • Instruction Fuzzy Hash: 5F0126369042299BCB04FB64E8017BF77B5AFC4320F250409F410A72D6CF309E42CB80
                                          Function 009226F9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00922700
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0092270A
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 0092275B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0092277B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: a5bf1ec29fa5753e1e243eef4af2f2126df6dd14f64f7739d8ba363feffd3214
                                          • Instruction ID: 12858ff169ad5b9faa83204b958c717e3e34a1a138748dd718b9a2cc5dd60071
                                          • Opcode Fuzzy Hash: a5bf1ec29fa5753e1e243eef4af2f2126df6dd14f64f7739d8ba363feffd3214
                                          • Instruction Fuzzy Hash: DA01C476904229ABCB05EBA4E8157BE77A5AFC4310F250509F4246B292DF34AE019B81
                                          Function 0092278E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00922795
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0092279F
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 009227F0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00922810
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 5ef81f144db6aa7a767999d79122cb0bfd26d4dd622ece59ff11ff7b8c325fed
                                          • Instruction ID: 19c65068a607f4c5a6a92a09afc35926c50a4f36203691ee6c3b95bef378b09e
                                          • Opcode Fuzzy Hash: 5ef81f144db6aa7a767999d79122cb0bfd26d4dd622ece59ff11ff7b8c325fed
                                          • Instruction Fuzzy Hash: 2901D23690422DEBCB15FBA4E805BAE77B9AFC4310F250409F4246B2D2DF349E41DB81
                                          Function 009279C9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009279D0
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009279DA
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00927A2B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927A4B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 9713b2623bf8c17f237f2b15fcba3b89ef3bf1005492207a021ea1b71c39240d
                                          • Instruction ID: d0f2c53a6add13e3fcc46ca98effab7f7de690a0428a97d4bf293b200b171a73
                                          • Opcode Fuzzy Hash: 9713b2623bf8c17f237f2b15fcba3b89ef3bf1005492207a021ea1b71c39240d
                                          • Instruction Fuzzy Hash: 3A01F9369042299BCB15EBA8E8067BEBBB5AFC4320F250409F524772D2DF349E41CBC0
                                          Function 009339EB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 009339F2
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 009339FC
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00933A4D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00933A6D
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 05051b88d847fbad6751ad22f9f2aaaa229c425837e02a05f99ebd53456df570
                                          • Instruction ID: 06352ac606bd15bdc3a7b9572c4b28af32a62835ac97521564ccf6a75498dd73
                                          • Opcode Fuzzy Hash: 05051b88d847fbad6751ad22f9f2aaaa229c425837e02a05f99ebd53456df570
                                          • Instruction Fuzzy Hash: A201D272A442199BCB15EBA4D8057AE7BB5AFC4310F258509F414AB392DF349F018F81
                                          Function 00933A80 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00933A87
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00933A91
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00933AE2
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00933B02
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 5ab3634a5bc7e1c5bdb5c0508b22ff1775ee634f45e5cf90809b34893cb126b4
                                          • Instruction ID: 6aeb4f334ce149761a998b2ac9cc9d7fce4e6f1169fb8826c8bbcf2d4931dac9
                                          • Opcode Fuzzy Hash: 5ab3634a5bc7e1c5bdb5c0508b22ff1775ee634f45e5cf90809b34893cb126b4
                                          • Instruction Fuzzy Hash: EE01D236944219EBCF15EB64E8067BEBBB5AFC4310F254509F415AB2D2DF749E41CB80
                                          Function 00927AF3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927AFA
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927B04
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00927B55
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927B75
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: c48c5ee1077ec88a662cbaa802316776597744207ea0ccbb6482cd38a0f24734
                                          • Instruction ID: 7885a6a8d1dec967a10a20a3ab1f0c69009681d526d158aba7c2a9965e93908f
                                          • Opcode Fuzzy Hash: c48c5ee1077ec88a662cbaa802316776597744207ea0ccbb6482cd38a0f24734
                                          • Instruction Fuzzy Hash: 3A01D2329042299BCB14EBA8E805BFFB7B5AFC4310F254509F514AB292DF349E41CBC0
                                          Function 00927A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927A65
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927A6F
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00927AC0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927AE0
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 379f20506873f7ac506449262314ea0edee9bfadb01ebbee4818a16286d5f5c3
                                          • Instruction ID: 36aaf99e3aecd8fd15d5d9548f8b51cde326e8fea696fa8aead6d0b99503d3e9
                                          • Opcode Fuzzy Hash: 379f20506873f7ac506449262314ea0edee9bfadb01ebbee4818a16286d5f5c3
                                          • Instruction Fuzzy Hash: 5A01D2729042299BCB04EBA4E8057AEBBB5AFC4320F260509F4147B2D2DF349E41CBC1
                                          Function 00927B88 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927B8F
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927B99
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00927BEA
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927C0A
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 62b8f5f137cb32e36cd20298a89afdf74a3dd42fa898b5df441401cb50ee31bb
                                          • Instruction ID: 30ff71de7843e2767d63a5bd8c30db6aa863961a8a120a89c406b8cbccbca418
                                          • Opcode Fuzzy Hash: 62b8f5f137cb32e36cd20298a89afdf74a3dd42fa898b5df441401cb50ee31bb
                                          • Instruction Fuzzy Hash: FA01927690422A9BCF19EBA4E8057BEBBB5AFC4310F254419F4147B392DF749E41CB90
                                          Function 00933CD4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00933CDB
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00933CE5
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00933D36
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00933D56
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 13cea75389b1cfb663a4bf01621fff54784122b68b7687acd8b0daf099b1e0b7
                                          • Instruction ID: f8c811e32c396dbf3e0ff74a21c0c392e9124e5221fe8736e8527aaeb071876e
                                          • Opcode Fuzzy Hash: 13cea75389b1cfb663a4bf01621fff54784122b68b7687acd8b0daf099b1e0b7
                                          • Instruction Fuzzy Hash: 9901D232A44219DFCB15EBA4E8067BE77B5AFC4310F254509F425AB2D2DF349E41CB80
                                          Function 00933C3F Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00933C46
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00933C50
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00933CA1
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00933CC1
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: b25aae4cccdf680bb13f5fd8ba8c04a041c355d527304df1ebdf5513570f9149
                                          • Instruction ID: 501971fc05cfa83100403f9da6eb026f0bcaaec8cf94e1d8d241c82307250456
                                          • Opcode Fuzzy Hash: b25aae4cccdf680bb13f5fd8ba8c04a041c355d527304df1ebdf5513570f9149
                                          • Instruction Fuzzy Hash: FD01D2369446199BCF19EBA4D8067AEB7B6AFC4710F258409F8146B392DF349F45CF80
                                          Function 00927E71 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927E78
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927E82
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00927ED3
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927EF3
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 3f3404c4f407bc9fae224857e9b1728cd35695ecf1071a97af66e121ece51d09
                                          • Instruction ID: 001803db02c7de8c76422c459ac690c21635492484ce7be4bc253a5d9c747f5e
                                          • Opcode Fuzzy Hash: 3f3404c4f407bc9fae224857e9b1728cd35695ecf1071a97af66e121ece51d09
                                          • Instruction Fuzzy Hash: E501D2369452299BCB15EBA4E8067AEBBB6AFC4310F250409F4146B396DF349E018B91
                                          Function 00927F9B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927FA2
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927FAC
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00927FFD
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0092801D
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: ecaf5b1717d80a364a1127b58c560d6cc975b1e29970f7c4b59df7398c4e1e0c
                                          • Instruction ID: fc1fd1b04541b1cb4359491f6e5db5b80ae4f512b47fe0a137281dd5237e611a
                                          • Opcode Fuzzy Hash: ecaf5b1717d80a364a1127b58c560d6cc975b1e29970f7c4b59df7398c4e1e0c
                                          • Instruction Fuzzy Hash: D101D236944229DBCB14EB64E8467FE77B5AFC4320F250409F414AB2D2DF349E45DB90
                                          Function 00927F06 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00927F0D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00927F17
                                            • Part of subcall function 0091BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0091BD10
                                            • Part of subcall function 0091BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0091BD38
                                          • std::_Facet_Register.LIBCPMT ref: 00927F68
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00927F88
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 95e70314822a393a66f9b4adee7f63a6c12a2086052813feedd8d858d5cb4f0f
                                          • Instruction ID: 62ea903648f5fe168b291c0f6f75471220cb80bb21969382eaecbfefecbe1717
                                          • Opcode Fuzzy Hash: 95e70314822a393a66f9b4adee7f63a6c12a2086052813feedd8d858d5cb4f0f
                                          • Instruction Fuzzy Hash: 0C01D2329082299BCB04EBA4E9057FEBBB6AFC4310F254509F4146B2D2DF349E018B80
                                          Function 00925C66 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00925C6D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00925C78
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00925CE6
                                            • Part of subcall function 00925DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00925DE0
                                          • std::locale::_Setgloballocale.LIBCPMT ref: 00925C93
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                          • String ID:
                                          • API String ID: 677527491-0
                                          • Opcode ID: e06057c4b73f79845ed3aca52015e6a852c085b9642c799b077d4b531d0059d9
                                          • Instruction ID: 35cd8fee05a4d266d8f03d79dd7e1c089c6664d8191b23a45cc8bfe3566b8475
                                          • Opcode Fuzzy Hash: e06057c4b73f79845ed3aca52015e6a852c085b9642c799b077d4b531d0059d9
                                          • Instruction Fuzzy Hash: 3401DF75A04B209BCB05FF20E845A7D7BA1FFC4340B164009E82557382DF34AE42DBC2
                                          Function 00958C76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00958643,?,00000001,?,?,?,00957788,?,?,00000000), ref: 00958C8D
                                          • GetLastError.KERNEL32(?,00958643,?,00000001,?,?,?,00957788,?,?,00000000,?,?,?,00957D0F,?), ref: 00958C99
                                            • Part of subcall function 00958C5F: CloseHandle.KERNEL32(FFFFFFFE,00958CA9,?,00958643,?,00000001,?,?,?,00957788,?,?,00000000,?,?), ref: 00958C6F
                                          • ___initconout.LIBCMT ref: 00958CA9
                                            • Part of subcall function 00958C21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00958C50,00958630,?,?,00957788,?,?,00000000,?), ref: 00958C34
                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00958643,?,00000001,?,?,?,00957788,?,?,00000000,?), ref: 00958CBE
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                          • String ID:
                                          • API String ID: 2744216297-0
                                          • Opcode ID: b739368a7df51896d66ec1220a7ea7f0af416e57b2c3289b6c1c2677d9b15986
                                          • Instruction ID: b07cbe6e42613c9e4f8c3222117156b24cd6f218bff71bfc76b26e54e5527956
                                          • Opcode Fuzzy Hash: b739368a7df51896d66ec1220a7ea7f0af416e57b2c3289b6c1c2677d9b15986
                                          • Instruction Fuzzy Hash: 4BF03036026155BBCF266FD2DC09E8A3F66FF487A2F104410FE59A5130DA32C920FBA1
                                          Function 009378FD Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • SleepConditionVariableCS.KERNELBASE(?,0093789A,00000064), ref: 00937920
                                          • LeaveCriticalSection.KERNEL32(00974AF8,?,?,0093789A,00000064,?,?,009125B6,0097571C,72116C99,?,00000000,009593ED,000000FF,?,00911A26), ref: 0093792A
                                          • WaitForSingleObjectEx.KERNEL32(?,00000000,?,0093789A,00000064,?,?,009125B6,0097571C,72116C99,?,00000000,009593ED,000000FF,?,00911A26), ref: 0093793B
                                          • EnterCriticalSection.KERNEL32(00974AF8,?,0093789A,00000064,?,?,009125B6,0097571C,72116C99,?,00000000,009593ED,000000FF,?,00911A26), ref: 00937942
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                          • String ID:
                                          • API String ID: 3269011525-0
                                          • Opcode ID: 4c10275fef4e8af24d626d4aff8e377edfe9392a7c526e1547bdcbc65330dc34
                                          • Instruction ID: 83fc224ae18aa251c35bed5fecbe577c858ed974779e8915f82af29a1176d258
                                          • Opcode Fuzzy Hash: 4c10275fef4e8af24d626d4aff8e377edfe9392a7c526e1547bdcbc65330dc34
                                          • Instruction Fuzzy Hash: 39E0923399E325E7C7252B91FC08F9D7F18EB04726F018010F50D62571CBA09840ABD8
                                          Function 00936C34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 3732870572-1956417402
                                          • Opcode ID: ae202f901c4312f4a9fababe4a199da9c11b079cfd49173bcedc2f8b050cdc34
                                          • Instruction ID: 989f3f10d082821617ced45bab8c243c36412fe336993397a08a710609cda013
                                          • Opcode Fuzzy Hash: ae202f901c4312f4a9fababe4a199da9c11b079cfd49173bcedc2f8b050cdc34
                                          • Instruction Fuzzy Hash: 7251D370B042597BDF259E6D88917BEBBFEEF45300F14C46AE9E1DB281C27499428F90
                                          Function 0091F860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::cancel_current_task.LIBCPMT ref: 0091FA3E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Concurrency::cancel_current_task
                                          • String ID: false$true
                                          • API String ID: 118556049-2658103896
                                          • Opcode ID: 1bfa934847728d13ad363396f3c233d5003b490a61c80d74aceb4a251187cb55
                                          • Instruction ID: b6ad386597d387aae0c75042e39a34870f90630a43c6d238aa493dde036f8c72
                                          • Opcode Fuzzy Hash: 1bfa934847728d13ad363396f3c233d5003b490a61c80d74aceb4a251187cb55
                                          • Instruction Fuzzy Hash: A251C5B1D0034C9FDB10DFA4C841BEEB7B8FF45314F14822AE845A7641E774AA85CB51
                                          Function 009322AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 009322B1
                                          • _swprintf.LIBCMT ref: 00932329
                                            • Part of subcall function 0092780A: __EH_prolog3.LIBCMT ref: 00927811
                                            • Part of subcall function 0092780A: std::_Lockit::_Lockit.LIBCPMT ref: 0092781B
                                            • Part of subcall function 0092780A: std::_Lockit::~_Lockit.LIBCPMT ref: 0092788C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 2348759532-1402515088
                                          • Opcode ID: 64d0abcf19b664335c8737ac6980e065e3e59eef518cc8b73d0cdc3c1304cf08
                                          • Instruction ID: 44f887c53a27094c1088575af065d27a99c10bef6b2ec7069266707616369836
                                          • Opcode Fuzzy Hash: 64d0abcf19b664335c8737ac6980e065e3e59eef518cc8b73d0cdc3c1304cf08
                                          • Instruction Fuzzy Hash: 51516D71D00219ABCF09DFE4D844ADEBBB9FF48300F204859E516AB2A5EB399945CF90
                                          Function 0093258E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00932595
                                          • _swprintf.LIBCMT ref: 0093260D
                                            • Part of subcall function 0091B500: std::_Lockit::_Lockit.LIBCPMT ref: 0091B52D
                                            • Part of subcall function 0091B500: std::_Lockit::_Lockit.LIBCPMT ref: 0091B550
                                            • Part of subcall function 0091B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0091B578
                                            • Part of subcall function 0091B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0091B617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 1487807907-1402515088
                                          • Opcode ID: eb3da876ca04debb4112b477618a398a2628b5cc04a48a8493bc4e0b8cca5f13
                                          • Instruction ID: ad0ec4c0fa272be7d104a1e0f284ac71813b9d68bdaab772154b87d0232dd63c
                                          • Opcode Fuzzy Hash: eb3da876ca04debb4112b477618a398a2628b5cc04a48a8493bc4e0b8cca5f13
                                          • Instruction Fuzzy Hash: 22515C71E00309ABCF09DFE4D855ADDBBB9FF48300F208819E546AB295EB359A55CF90
                                          Function 00936607 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 0093660E
                                          • _swprintf.LIBCMT ref: 00936686
                                            • Part of subcall function 0091C590: std::_Lockit::_Lockit.LIBCPMT ref: 0091C5BD
                                            • Part of subcall function 0091C590: std::_Lockit::_Lockit.LIBCPMT ref: 0091C5E0
                                            • Part of subcall function 0091C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0091C608
                                            • Part of subcall function 0091C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0091C6A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 1487807907-1402515088
                                          • Opcode ID: 7f079a7490dd9a5ecc580f7ad8c9534583d49d2726a4981f64df744204a5893a
                                          • Instruction ID: 9ae42e156a1338df89a7df087d7b0b80afc7154a031c4084c217244a176dc422
                                          • Opcode Fuzzy Hash: 7f079a7490dd9a5ecc580f7ad8c9534583d49d2726a4981f64df744204a5893a
                                          • Instruction Fuzzy Hash: 1A517C71E0020DABCF09DFE4D845ADEBBB5FF48344F208419E506AB2A5EB359955CF50
                                          Function 00919620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \\?\$\\?\UNC\
                                          • API String ID: 0-3019864461
                                          • Opcode ID: b6dffb7a20609baa70b647a4d6a9f9387beead8128bd52bae23ec18a1288506d
                                          • Instruction ID: 8ffeaf22db4a01256ad9b20c83780170870d63712958392cedae30e2d18aee0d
                                          • Opcode Fuzzy Hash: b6dffb7a20609baa70b647a4d6a9f9387beead8128bd52bae23ec18a1288506d
                                          • Instruction Fuzzy Hash: 56519170A103099BDB24CF65C995BEEB7B5FF99314F10491DE802B7280DB75A9C4CBA4
                                          Function 0093B5D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • EncodePointer.KERNEL32(00000000,?), ref: 0093B5F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: EncodePointer
                                          • String ID: MOC$RCC
                                          • API String ID: 2118026453-2084237596
                                          • Opcode ID: 6f867e6f634b6c8db35fd4405e20e3a9c85ee55e27a77fa02404f646501e67bf
                                          • Instruction ID: 6ef94eb34c93510cd1ba69f35013d73a45fa3d9419a36902f3965148ed4bad9f
                                          • Opcode Fuzzy Hash: 6f867e6f634b6c8db35fd4405e20e3a9c85ee55e27a77fa02404f646501e67bf
                                          • Instruction Fuzzy Hash: 95416971900209AFCF15DF98CD82AEEBBB9FF48318F188059FA09A7222D7359950DF51
                                          Function 0093217C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00932183
                                            • Part of subcall function 0092780A: __EH_prolog3.LIBCMT ref: 00927811
                                            • Part of subcall function 0092780A: std::_Lockit::_Lockit.LIBCPMT ref: 0092781B
                                            • Part of subcall function 0092780A: std::_Lockit::~_Lockit.LIBCPMT ref: 0092788C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
                                          • String ID: %.0Lf$0123456789-
                                          • API String ID: 2728201062-3094241602
                                          • Opcode ID: 3b223208e2a6e131eb976784e9ba1b25b5e11b90dcf7197119e54461627cb64d
                                          • Instruction ID: a2e1c7d64d8f3aaf87646cc7b88f5d07a8ee0d29cb078178a7676cdc34bb45bb
                                          • Opcode Fuzzy Hash: 3b223208e2a6e131eb976784e9ba1b25b5e11b90dcf7197119e54461627cb64d
                                          • Instruction Fuzzy Hash: 62414931901219DFCF09EFA4D881AEEBBB5FF48310F144159E821AB255DB309A56CF54
                                          Function 009364DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 009364E2
                                            • Part of subcall function 0091C590: std::_Lockit::_Lockit.LIBCPMT ref: 0091C5BD
                                            • Part of subcall function 0091C590: std::_Lockit::_Lockit.LIBCPMT ref: 0091C5E0
                                            • Part of subcall function 0091C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0091C608
                                            • Part of subcall function 0091C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0091C6A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                          • String ID: 0123456789-$0123456789-
                                          • API String ID: 2088892359-2494171821
                                          • Opcode ID: 106721dced3aa606c515dbc4931bd282d41e69d22c8bd643d5fe50e1b7f519ba
                                          • Instruction ID: d6c0898ac69e422e3df331fc0781f62ce712dccc68ed9638d4861b2a4f5e5a87
                                          • Opcode Fuzzy Hash: 106721dced3aa606c515dbc4931bd282d41e69d22c8bd643d5fe50e1b7f519ba
                                          • Instruction Fuzzy Hash: 69416D71A04209EFCF09DFA4D881AEE7BB6EF48310F10406AF821A7265DB359E55CF51
                                          Function 00932460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00932467
                                            • Part of subcall function 0091B500: std::_Lockit::_Lockit.LIBCPMT ref: 0091B52D
                                            • Part of subcall function 0091B500: std::_Lockit::_Lockit.LIBCPMT ref: 0091B550
                                            • Part of subcall function 0091B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0091B578
                                            • Part of subcall function 0091B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0091B617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                          • String ID: 0123456789-$0123456789-
                                          • API String ID: 2088892359-2494171821
                                          • Opcode ID: af9160d34d0f607e4aec2768abf858787e4d392b34a67651455a34ad553e7ece
                                          • Instruction ID: 73ba6160f7337887c2ed06cbf3451999133bebf21a3c5b55185b6bd4d0f06f44
                                          • Opcode Fuzzy Hash: af9160d34d0f607e4aec2768abf858787e4d392b34a67651455a34ad553e7ece
                                          • Instruction Fuzzy Hash: 5E414931A00219DFCF15DFA8D895AEEBBB5FF48310F10005AF815AB261DB309A95CFA5
                                          Function 009367B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: H_prolog3___cftoe
                                          • String ID: !%x
                                          • API String ID: 855520168-1893981228
                                          • Opcode ID: 351897348f41e2fce61eb76234f703a346c4e92122316d1abf01a078424c0423
                                          • Instruction ID: 3db389ba0e5ec06d589e13189468c58443dd7efde9269089120a94389aff79d8
                                          • Opcode Fuzzy Hash: 351897348f41e2fce61eb76234f703a346c4e92122316d1abf01a078424c0423
                                          • Instruction Fuzzy Hash: 94412674A1124AEFDF04DFA8D841AEEBBB1BF48300F148429F955A7352E7349A05CF61
                                          Function 00932DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: H_prolog3___cftoe
                                          • String ID: !%x
                                          • API String ID: 855520168-1893981228
                                          • Opcode ID: dcfe92c42ff3f6839680e34ae04a0d3f327bc6f87755ff654ddb11cf2926cf5b
                                          • Instruction ID: 0785570fca633a5ce5446da131abb708372c58e27d254c68d5716eeaffc22e15
                                          • Opcode Fuzzy Hash: dcfe92c42ff3f6839680e34ae04a0d3f327bc6f87755ff654ddb11cf2926cf5b
                                          • Instruction Fuzzy Hash: EC311B75A01209EBDF14DFA4D982AEEB7B2FF48304F104429F905AB211E735AE55CF51
                                          Function 0091D5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: _swprintf
                                          • String ID: %$+
                                          • API String ID: 589789837-2626897407
                                          • Opcode ID: 65e93dd1c1f13c854ead544763b6aa9fc19ad23171e1739b40bed530e97685c3
                                          • Instruction ID: f39d01595e5fa888e6e417699398b04cd98db1716e053c438937a819025749a1
                                          • Opcode Fuzzy Hash: 65e93dd1c1f13c854ead544763b6aa9fc19ad23171e1739b40bed530e97685c3
                                          • Instruction Fuzzy Hash: 3421F3712083489FD711CF18C859BDBBBE9AF89344F04895DF99887282C738D958DBA3
                                          Function 0091D6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: _swprintf
                                          • String ID: %$+
                                          • API String ID: 589789837-2626897407
                                          • Opcode ID: a04ee522d87e0db90b1f0fedac08c53bc413a1737b2f3032b02a7ab62dbfa7f5
                                          • Instruction ID: 75afa28056d6bf8aa9d773efc9bc72bf71e936a31dcb7aff800cabb724993d7f
                                          • Opcode Fuzzy Hash: a04ee522d87e0db90b1f0fedac08c53bc413a1737b2f3032b02a7ab62dbfa7f5
                                          • Instruction Fuzzy Hash: 3B21C4752093499FE711CF14C855B9BBBE9ABC5300F04881DF99487292C738D958DBA7
                                          Function 0091D7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: _swprintf
                                          • String ID: %$+
                                          • API String ID: 589789837-2626897407
                                          • Opcode ID: 498e716cc1069844b787e895a9708e8790a16ea439df56526bdbd18625f819c7
                                          • Instruction ID: 09ba57dd2ebfd2906ca3cfaa26ccf6c90e98583e56e4f083e21a88599d29f9c2
                                          • Opcode Fuzzy Hash: 498e716cc1069844b787e895a9708e8790a16ea439df56526bdbd18625f819c7
                                          • Instruction Fuzzy Hash: 2821B0712083499FE711CF18C855B9BBBEAABC9300F04885DF99587292C738D958DBA2
                                          Function 009180D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00918116
                                          • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,72116C99), ref: 00918185
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: ConvertFreeLocalString
                                          • String ID: Invalid SID
                                          • API String ID: 3201929900-130637731
                                          • Opcode ID: 9227dfad9a9ac02ba319d2982564f110876d102a8f76e2b5351e76e08eb5a2d5
                                          • Instruction ID: 9ba401b65a67e44ef67be1be3b8b6fe04d4963b9d2377ce5f989ca5af19cbaca
                                          • Opcode Fuzzy Hash: 9227dfad9a9ac02ba319d2982564f110876d102a8f76e2b5351e76e08eb5a2d5
                                          • Instruction Fuzzy Hash: A1219375A08709ABDB14CF59C815BEFFBB8FF84704F10861DE901A7280DBB55A858BD0
                                          Function 0091C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0091C16B
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0091C1CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                          • String ID: bad locale name
                                          • API String ID: 3988782225-1405518554
                                          • Opcode ID: b7b74ed6b70f5fbb307fc376503b75a0424ddc5c1f013db6e0ce4bc1ba302389
                                          • Instruction ID: 56156029588f1110d32af2da0fd2e36a6b4891470657997833610b5b3167fef4
                                          • Opcode Fuzzy Hash: b7b74ed6b70f5fbb307fc376503b75a0424ddc5c1f013db6e0ce4bc1ba302389
                                          • Instruction Fuzzy Hash: 042102B0909B84EED721CF68C90474BBFF4EF15314F10868EE49597781D3B5AA08CBA1
                                          Function 00924077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: H_prolog3_
                                          • String ID: false$true
                                          • API String ID: 2427045233-2658103896
                                          • Opcode ID: 65b9dde6904e575bc46eae91f47d0c4224c82094b74a08f619733ecb27ef0e53
                                          • Instruction ID: c9729a05d640ac2f464924887741c1010f124fd4e8eafd1da4c75f15722c5ea2
                                          • Opcode Fuzzy Hash: 65b9dde6904e575bc46eae91f47d0c4224c82094b74a08f619733ecb27ef0e53
                                          • Instruction Fuzzy Hash: A0110871D44749AEC720EFB4E812B8BB7F4AF59300F04851AF0A9CB651EB70E544CB50
                                          Function 00921E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00920B00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,72116C99,?,009593B0,000000FF), ref: 00920B27
                                            • Part of subcall function 00920B00: GetLastError.KERNEL32(?,00000000,00000000,72116C99,?,009593B0,000000FF), ref: 00920B31
                                          • IsDebuggerPresent.KERNEL32(?,?,0096FAD8), ref: 00921E48
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,0096FAD8), ref: 00921E57
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00921E52
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 3511171328-631824599
                                          • Opcode ID: e129b1d2e24d571968b726a4ceedd3032a27cb9ca670259c282cc885584b0297
                                          • Instruction ID: 90db930ffbaa3202953095e91d18d8f2572aba93d74d0ca2a0b406680800dd6e
                                          • Opcode Fuzzy Hash: e129b1d2e24d571968b726a4ceedd3032a27cb9ca670259c282cc885584b0297
                                          • Instruction Fuzzy Hash: 00E09270605761CFC370EF3AE9047467BE4AF55749F41881DE885C6244D7B5E448CF52
                                          Function 00916C20 Relevance: 5.2, APIs: 4, Instructions: 183memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,40000022,72116C99,?,00000000,?,?,?,?,00959DA0,000000FF,?,00916432,00000000,?), ref: 00916CC4
                                          • LocalAlloc.KERNEL32(00000040,3FFFFFFF,72116C99,?,00000000,?,?,?,?,00959DA0,000000FF,?,00916432,00000000,?), ref: 00916CE7
                                          • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,00959DA0,000000FF,?,00916432,00000000), ref: 00916D87
                                          • LocalFree.KERNEL32(?,72116C99,00000000,009593B0,000000FF,?,00000000,00000000,00959DA0,000000FF,72116C99), ref: 00916E0D
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree
                                          • String ID:
                                          • API String ID: 2012307162-0
                                          • Opcode ID: 0025bb1395014f7f24bf9746f0a0268d89db7817376f62a6749b90b3343f2609
                                          • Instruction ID: e13d653d739b54300e093a32ab555b1255344e39ba0a91d719f25fb252935e5f
                                          • Opcode Fuzzy Hash: 0025bb1395014f7f24bf9746f0a0268d89db7817376f62a6749b90b3343f2609
                                          • Instruction Fuzzy Hash: 59516DB5F046099FDB18CF68D985BAEBBB9FB48310F14862DE815E7380D735A950CB90
                                          Function 00914A80 Relevance: 5.2, APIs: 4, Instructions: 169memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 00914B05
                                          • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 00914B25
                                          • LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 00914BAB
                                          • LocalFree.KERNEL32(00000000,72116C99,00000000,00000000,Function_000492C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 00914C2D
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.3312660861.0000000000911000.00000020.00000001.01000000.00000004.sdmp, Offset: 00910000, based on PE: true
                                          • Associated: 00000005.00000002.3312633527.0000000000910000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312710716.000000000095D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312742366.0000000000973000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000005.00000002.3312770461.0000000000977000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_910000_MSIBC7.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree
                                          • String ID:
                                          • API String ID: 2012307162-0
                                          • Opcode ID: 079896ae5ce24509bda7b264943d74662df990a3692b0db8ab5cc0aa81cac873
                                          • Instruction ID: e5620c93d3828b53b1e62bb09df6bdda1c38bd91d861846263e433937313c0d3
                                          • Opcode Fuzzy Hash: 079896ae5ce24509bda7b264943d74662df990a3692b0db8ab5cc0aa81cac873
                                          • Instruction Fuzzy Hash: 8B51B3727482199FD7149F28DC41BAEB7E9EF89310F140A6EF856D7290DB30E9448B91

                                          Execution Graph

                                          Execution Coverage:1.4%
                                          Dynamic/Decrypted Code Coverage:1.1%
                                          Signature Coverage:0.7%
                                          Total number of Nodes:278
                                          Total number of Limit Nodes:26
                                          execution_graph 77660 e99568 77662 e9981e 77660->77662 77663 e99842 77662->77663 77667 e99844 std::bad_alloc::bad_alloc 77662->77667 77670 e9bd76 77662->77670 77686 e9be4f TlsGetValue TlsGetValue __onexit_nolock 77662->77686 77665 e9986a 77688 e99801 9 API calls std::exception::exception 77665->77688 77667->77665 77687 e9bd10 11 API calls __cinit 77667->77687 77669 e99874 CallUnexpected 77671 e9be29 77670->77671 77676 e9bd88 _malloc 77670->77676 77695 e9be4f TlsGetValue TlsGetValue __onexit_nolock 77671->77695 77673 e9be2f 77696 e9ba3e 9 API calls __XcptFilter 77673->77696 77679 e9be21 77676->77679 77680 e9bde5 RtlAllocateHeap 77676->77680 77681 e9be15 77676->77681 77684 e9be1a 77676->77684 77689 e9fe3d 9 API calls 2 library calls 77676->77689 77690 e9fc92 9 API calls 6 library calls 77676->77690 77691 e9bd27 9 API calls 3 library calls 77676->77691 77692 e9be4f TlsGetValue TlsGetValue __onexit_nolock 77676->77692 77679->77662 77680->77676 77693 e9ba3e 9 API calls __XcptFilter 77681->77693 77694 e9ba3e 9 API calls __XcptFilter 77684->77694 77686->77662 77687->77665 77688->77669 77689->77676 77690->77676 77691->77676 77692->77676 77693->77684 77694->77679 77695->77673 77696->77679 77697 daf118 77700 e46710 77697->77700 77698 daf147 77701 e4672a 77700->77701 77705 e4672f 77700->77705 77703 e46801 77701->77703 77701->77705 77704 daf53c 3 API calls 77703->77704 77706 e46827 77704->77706 77705->77706 77707 daf53c 77705->77707 77706->77698 77715 daf556 77707->77715 77708 daf5b0 77709 daf5d9 77708->77709 77710 daf5b5 77708->77710 77711 daf72e 77709->77711 77721 daf5bb 77709->77721 77718 daf9ec 77710->77718 77710->77721 77713 daacc0 3 API calls 77711->77713 77712 dafa7b 77712->77706 77720 daf739 77713->77720 77714 daf5f5 77714->77712 77714->77721 77726 dfd288 GetFileVersionInfoSizeW GetFileVersionInfoW 77714->77726 77715->77708 77715->77714 77715->77720 77719 daacc0 3 API calls 77718->77719 77718->77720 77719->77720 77720->77706 77721->77720 77722 daacc0 77721->77722 77723 daacd6 77722->77723 77724 daaedb 77723->77724 77727 e49c2c 77723->77727 77724->77720 77726->77721 77728 e49c3b 77727->77728 77731 e47b98 77728->77731 77730 e49c4c 77730->77724 77732 e47bbc 77731->77732 77733 e47d31 77732->77733 77735 e47c7d 77732->77735 77734 e47d45 KiUserCallbackDispatcher 77733->77734 77737 e47cca 77733->77737 77734->77737 77735->77737 77738 dfd2a4 GetFileVersionInfoSizeW GetFileVersionInfoW 77735->77738 77737->77730 77738->77737 77739 133e715 77740 133e744 CreateToolhelp32Snapshot 77739->77740 77741 133e78b 77740->77741 77742 dba110 77743 dba230 77742->77743 77745 dba13e 77742->77745 77745->77743 77746 dba304 77745->77746 77747 dba32c 77746->77747 77750 dba26c 77747->77750 77749 dba337 77749->77743 77753 db99a4 77750->77753 77752 dba28f 77752->77749 77754 db99aa 77753->77754 77757 db5af0 77754->77757 77756 db99bf 77756->77752 77758 db5afa 77757->77758 77761 dacae4 77758->77761 77760 db5b10 77760->77756 77762 dacaf5 77761->77762 77764 dacb79 77762->77764 77765 e4d3ec 77762->77765 77764->77760 77768 e4d1a8 77765->77768 77767 e4d3f9 77767->77764 77769 e4d323 77768->77769 77770 e4d1d8 77768->77770 77769->77767 77770->77769 77771 e4d260 RegOpenKeyExW 77770->77771 77771->77770 77772 e4d273 77771->77772 77772->77767 77773 e60c48 77774 e60c50 77773->77774 77784 e60cdb 77774->77784 77799 e60b40 77774->77799 77777 e60b40 CreateProcessW 77778 e60c90 77777->77778 77779 e60b40 CreateProcessW 77778->77779 77780 e60c9c 77779->77780 77781 e60b40 CreateProcessW 77780->77781 77782 e60ca8 77781->77782 77783 e60b40 CreateProcessW 77782->77783 77787 e60cb4 77783->77787 77785 e60e9b 77784->77785 77786 e50354 2 API calls 77784->77786 77788 e60d25 77784->77788 77786->77788 77803 e50354 77787->77803 77790 e50354 2 API calls 77788->77790 77791 e60d6f 77788->77791 77790->77791 77792 e50354 2 API calls 77791->77792 77797 e60db9 77791->77797 77792->77797 77793 e60e45 77793->77785 77794 e60b40 CreateProcessW 77793->77794 77795 e60e81 77794->77795 77796 e50354 2 API calls 77795->77796 77796->77785 77797->77793 77798 e50354 2 API calls 77797->77798 77798->77793 77800 e60b5c 77799->77800 77801 e60bd5 CreateProcessW 77800->77801 77802 e60be1 77801->77802 77802->77777 77804 e5036e 77803->77804 77807 e4544c 77804->77807 77805 e503cd 77805->77784 77808 e45460 77807->77808 77814 e44a24 77808->77814 77810 e45486 77811 e4558f 77810->77811 77818 c3e834 77810->77818 77811->77805 77812 e45517 77812->77805 77815 e44a2d 77814->77815 77816 dacae4 RegOpenKeyExW 77815->77816 77817 e44a43 77816->77817 77817->77810 77819 c3e84a 77818->77819 77822 c3e7a8 77819->77822 77821 c3e89a 77821->77812 77823 c3e7c9 77822->77823 77824 c3e80c 77822->77824 77823->77824 77825 c3e7a8 KiUserCallbackDispatcher 77823->77825 77824->77821 77826 c3e7e1 77825->77826 77828 c3d0a0 77826->77828 77830 c3d0b1 77828->77830 77829 c3d11d 77829->77824 77830->77829 77833 c454a4 77830->77833 77834 c454c0 77833->77834 77837 c4ad64 77834->77837 77836 c3d0fc 77836->77824 77838 c4ad9d 77837->77838 77841 da94b0 77838->77841 77839 c4af5c 77839->77836 77842 da94ca KiUserCallbackDispatcher 77841->77842 77842->77839 77843 e9a726 77844 e9a731 __DllMainCRTStartup@12 77843->77844 77847 e9a630 77844->77847 77846 e9a744 77848 e9a63c _realloc 77847->77848 77849 e9a6d9 _realloc 77848->77849 77851 e9a689 77848->77851 77855 e9a4fb 77848->77855 77849->77846 77851->77849 77853 e9a4fb ___DllMainCRTStartup 24 API calls 77851->77853 77854 e9a6b9 77851->77854 77852 e9a4fb ___DllMainCRTStartup 24 API calls 77852->77849 77853->77854 77854->77849 77854->77852 77856 e9a586 77855->77856 77863 e9a50a ___DllMainCRTStartup 77855->77863 77857 e9a5bd 77856->77857 77858 e9a58c 77856->77858 77859 e9a61b 77857->77859 77860 e9a5c2 77857->77860 77861 e9a5a7 77858->77861 77885 e9a515 77858->77885 77905 e9d5aa 9 API calls _doexit 77858->77905 77859->77885 77914 e9b5ef 12 API calls 2 library calls 77859->77914 77909 e9b2d5 TlsGetValue TlsGetValue TlsGetValue TlsSetValue __onexit_nolock 77860->77909 77861->77885 77906 e9d85b 9 API calls _realloc 77861->77906 77863->77885 77897 e9b65d 11 API calls 6 library calls 77863->77897 77865 e9a5c7 77910 e9d25a 9 API calls __calloc_impl 77865->77910 77870 e9a5b1 77907 e9b309 10 API calls 2 library calls 77870->77907 77871 e9a5d3 77871->77885 77911 e9b25a TlsGetValue TlsGetValue __initp_misc_cfltcvt_tab 77871->77911 77875 e9a5b6 77908 e9dd8f HeapFree HeapFree 77875->77908 77876 e9a5f1 77878 e9a5f8 77876->77878 77879 e9a60f 77876->77879 77912 e9b346 9 API calls 3 library calls 77878->77912 77913 e9a749 9 API calls _realloc 77879->77913 77880 e9a521 __RTC_Initialize 77891 e9a525 77880->77891 77899 e9d607 9 API calls 3 library calls 77880->77899 77884 e9a5ff 77884->77851 77885->77851 77886 e9a54b 77887 e9a54f 77886->77887 77901 e9db21 15 API calls 3 library calls 77886->77901 77900 e9b309 10 API calls 2 library calls 77887->77900 77890 e9a55b 77892 e9a56f 77890->77892 77902 e9d8a9 15 API calls 6 library calls 77890->77902 77898 e9dd8f HeapFree HeapFree 77891->77898 77892->77885 77904 e9d85b 9 API calls _realloc 77892->77904 77895 e9a564 77895->77892 77903 e9d3e3 11 API calls 5 library calls 77895->77903 77897->77880 77898->77885 77899->77886 77900->77891 77901->77890 77902->77895 77903->77892 77904->77887 77905->77861 77906->77870 77907->77875 77908->77885 77909->77865 77910->77871 77911->77876 77912->77884 77913->77885 77914->77885 77915 e6a114 77916 e6a127 77915->77916 77917 e6a1b2 77915->77917 77916->77917 77918 e6a1a8 GetNativeSystemInfo 77916->77918 77918->77917 77919 17516ed NtQueryInformationProcess 77920 17516f8 77919->77920 77921 e8b610 77922 e8b63b 77921->77922 77923 e8b665 77921->77923 77922->77923 77924 e8b642 WriteProcessMemory 77922->77924 77925 1fbe803 RtlAllocateHeap 77926 b9dc44 77927 b9dc4c 77926->77927 77927->77927 77928 b9dc88 77927->77928 77930 b9c184 77927->77930 77931 b9c1a9 77930->77931 77932 b9c193 77930->77932 77931->77928 77932->77931 77934 b9c13c 77932->77934 77935 b9c14c 77934->77935 77936 b9c168 77934->77936 77938 b9d3b4 77935->77938 77936->77931 77939 b9d3f5 77938->77939 77942 b9d290 77939->77942 77941 b9d42e 77941->77936 77944 b9d2b1 77942->77944 77943 b9d32c 77943->77941 77944->77943 77948 b9c97c 77944->77948 77946 b9d348 77946->77943 77947 b9c97c 6 API calls 77946->77947 77947->77943 77949 b9c99f 77948->77949 77951 b9c9a8 77949->77951 77952 b9c860 6 API calls 77949->77952 77951->77946 77952->77951 77953 b9ee44 77955 b9ee4f 77953->77955 77957 b99498 77955->77957 77958 b994a7 77957->77958 77961 b997dc 77958->77961 77962 b9942c 77958->77962 77963 b9943c 77962->77963 77964 b99474 77962->77964 77963->77964 77966 e6b794 77963->77966 77967 e6b7ae 77966->77967 77968 e6b7c1 77966->77968 77970 db92fc 77967->77970 77968->77963 77971 db9322 GlobalAddAtomW 77970->77971 77973 db9370 77971->77973 77980 db9070 77973->77980 77975 db93d1 77985 e4cb1c 77975->77985 77977 db93f0 77991 e4e394 77977->77991 77979 db9410 77979->77968 77981 db907f SetErrorMode 77980->77981 77982 db90d0 77980->77982 77983 db90a3 77981->77983 77984 db90b2 SetErrorMode 77981->77984 77982->77975 77983->77984 77984->77975 77986 e4cb26 77985->77986 77995 e4cffc 77986->77995 77988 e4cb5f 77999 e4d5d8 77988->77999 77990 e4cc47 77990->77977 77992 e4e3a3 77991->77992 77993 e4e4a7 LoadIconW 77992->77993 77994 e4e4ca 77993->77994 77994->77979 77996 e4d00e 77995->77996 77997 e4d032 LoadCursorW 77996->77997 77998 e4d04f 77996->77998 77997->77996 77998->77988 78000 e4d5f2 77999->78000 78001 e4d66c SystemParametersInfoW 78000->78001 78002 e4d68a 78001->78002 78002->77990 78003 dfcee0 78004 dfcee9 78003->78004 78006 dfcef5 78003->78006 78007 df8164 78004->78007 78008 df816e 78007->78008 78009 df81e4 78008->78009 78011 bbaf3c 78008->78011 78009->78006 78012 bbaf69 GetFileVersionInfoSizeW 78011->78012 78014 bbaf89 GetFileVersionInfoW 78012->78014 78015 bbaffc 78012->78015 78017 bbafbc 78014->78017 78015->78009 78017->78009

                                          Executed Functions

                                          Function 0133E715 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 260 133e715-133e781 CreateToolhelp32Snapshot 262 133e78b-133e80b 260->262 264 133e864 262->264 265 133e80d 262->265 266 133e810 264->266 267 133e866-133e86a 264->267 265->266 269 133e812 266->269 270 133e851-133e857 266->270 268 133e86b-133e886 267->268 272 133e889-133e8c1 268->272 269->268 271 133e814-133e817 269->271 270->264 271->270 273 133e8c3-133e8d7 272->273 274 133e916-133e91b 272->274 273->272 275 133e91d 274->275 276 133e8d8-133e912 275->276 277 133e91f-133e927 275->277 276->274 278 133e929 277->278 279 133e988 277->279 278->279 279->275 280 133e98a-133e990 279->280 282 133e992-133e995 280->282 283 133e9af-133e9ba 280->283 284 133ea22-133ea31 283->284 285 133e9bd-133e9cf 283->285 285->284
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0133E781
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3400642820.000000000133E000.00000020.00000001.01000000.00000007.sdmp, Offset: 0133E000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_133e000_windows10.jbxd
                                          Similarity
                                          • API ID: CreateSnapshotToolhelp32
                                          • String ID: D$X1lU
                                          • API String ID: 3332741929-3893578023
                                          • Opcode ID: db65b5c3b89eff3912023507cc08190e9c77b8aa1c32a1b6adef85f624e25db8
                                          • Instruction ID: 189e1d6065a61c0eeafd389b479cf07eab132879f0fc191b16a84fcf3eee91d3
                                          • Opcode Fuzzy Hash: db65b5c3b89eff3912023507cc08190e9c77b8aa1c32a1b6adef85f624e25db8
                                          • Instruction Fuzzy Hash: E7616732904756CFC71ADF3CC8805EA7BA1FFC6728B6486ADC4918F6A1D7309816CB85
                                          Function 017516ED Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQueryInformationProcess.NTDLL ref: 017516F1
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3459024386.0000000001751000.00000020.00000001.01000000.00000007.sdmp, Offset: 01751000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1751000_windows10.jbxd
                                          Similarity
                                          • API ID: InformationProcessQuery
                                          • String ID:
                                          • API String ID: 1778838933-0
                                          • Opcode ID: d9c154bfda8b8ed689f1bcbb5c88b26ea680fa480514194797d6c71acaed831b
                                          • Instruction ID: 8baa40582e30a88286de109888c6809f1bc3f9e7819ff9b108a3c9d00921119c
                                          • Opcode Fuzzy Hash: d9c154bfda8b8ed689f1bcbb5c88b26ea680fa480514194797d6c71acaed831b
                                          • Instruction Fuzzy Hash: 43E09271528E2A4A9250BB7CB19449EB750EFC4374F30DB2D6576A71E4FA300066CB96
                                          Function 00B9DCF8 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B91000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_b91000_windows10.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab534339ebf2f26df59a6dabcf4891875b70cb508f85659e8086122488c55be5
                                          • Instruction ID: dda0fcdf713155d66368dc6a7da0c67ad706785337cc0216c55ab66d0fff1ef0
                                          • Opcode Fuzzy Hash: ab534339ebf2f26df59a6dabcf4891875b70cb508f85659e8086122488c55be5
                                          • Instruction Fuzzy Hash: 21A012104098000AC804A7284C4340F35C02D42210FC40264B45CA5282E606856843E7
                                          Function 00DB92FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GlobalAddAtomW.KERNEL32(00000000), ref: 00DB9350
                                            • Part of subcall function 00DB9070: SetErrorMode.KERNELBASE(00008000), ref: 00DB9084
                                            • Part of subcall function 00DB9070: SetErrorMode.KERNELBASE(?,00DB90D0), ref: 00DB90C3
                                            • Part of subcall function 00E4E394: LoadIconW.USER32(@@,MAINICON,?,?,?,00DB9410), ref: 00E4E4BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: ErrorMode$AtomGlobalIconLoad
                                          • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$DelphiRM_GetObjectInstance$USER32
                                          • API String ID: 1953398334-1139167764
                                          • Opcode ID: 7cc65fc323fee5e11dfe93717a48e6f416f27ea70a139bfc2df5150ab760079f
                                          • Instruction ID: 975a8a368007407152d47a9988f54587c4c6594eccb54d7221c2d1df54235b35
                                          • Opcode Fuzzy Hash: 7cc65fc323fee5e11dfe93717a48e6f416f27ea70a139bfc2df5150ab760079f
                                          • Instruction Fuzzy Hash: DC417E74A04244DFCB00EFB9EC92A9DB7F5EB4A304B404575F509E7362DB34AA488B65
                                          Function 00E9A4FB Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • __RTC_Initialize.LIBCMT ref: 00E9A52C
                                          • __mtterm.LIBCMT ref: 00E9A54F
                                            • Part of subcall function 00E9B309: TlsFree.KERNEL32(00EAC65C,00E9A5B6), ref: 00E9B334
                                          • __setenvp.LIBCMT ref: 00E9A55F
                                          • __cinit.LIBCMT ref: 00E9A56A
                                          • __mtterm.LIBCMT ref: 00E9A5B1
                                          • ___set_flsgetvalue.LIBCMT ref: 00E9A5C2
                                            • Part of subcall function 00E9B2D5: TlsGetValue.KERNEL32(?,00E9B444), ref: 00E9B2DE
                                            • Part of subcall function 00E9B2D5: TlsSetValue.KERNEL32(00000000), ref: 00E9B2FF
                                            • Part of subcall function 00E9D25A: __calloc_impl.LIBCMT ref: 00E9D26B
                                          • __freeptd.LIBCMT ref: 00E9A621
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: Value__mtterm$FreeInitialize___set_flsgetvalue__calloc_impl__cinit__freeptd__setenvp
                                          • String ID:
                                          • API String ID: 3546094511-0
                                          • Opcode ID: 9f5d3ee78cdd08f7d646629f91e269c9dae21f405b3aa397ebd93374c9d76221
                                          • Instruction ID: 8127c81d44afcf08514fff49876aac979277031d5170ffccd4866d2a152eab75
                                          • Opcode Fuzzy Hash: 9f5d3ee78cdd08f7d646629f91e269c9dae21f405b3aa397ebd93374c9d76221
                                          • Instruction Fuzzy Hash: BE21B5B2608252999F2577F66C02A7E33D99F95364B2D3436F404F1053FF20D44585E3
                                          Function 00E4E394 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 218 e4e394-e4e3a1 219 e4e3a3 218->219 220 e4e3ab-e4e3c1 218->220 219->220 222 e4e3c3-e4e3d2 220->222 223 e4e3d8-e4e3e2 220->223 222->223 224 e4e3e4-e4e3ec 223->224 225 e4e3f2-e4e3fc 223->225 224->225 226 e4e40c-e4e516 call d8a890 call d93ea0 LoadIconW call d94338 225->226 227 e4e3fe-e4e406 225->227 240 e4e526-e4e537 226->240 241 e4e518-e4e51b 226->241 227->226 243 e4e53e-e4e56c call e43c28 240->243 244 e4e539 240->244 241->240 249 e4e571-e4e586 243->249 244->243 250 e4e58f-e4e5db call e51304 call e51f70 249->250 251 e4e588-e4e58a call e4e7d8 249->251 257 e4e5ec-e4e5f3 250->257 258 e4e5dd-e4e5e9 250->258 251->250 258->257
                                          APIs
                                          • LoadIconW.USER32(@@,MAINICON,?,?,?,00DB9410), ref: 00E4E4BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: @@$H@$MAINICON
                                          • API String ID: 2457776203-1529810331
                                          • Opcode ID: 78111a7165e3e7b02f3a7bf9736a5ae76228b391828b9807b904724e7990af78
                                          • Instruction ID: 26b224560033092a6af227b0d0973f3fa9e45c13c2feb37660b59e96e97a5526
                                          • Opcode Fuzzy Hash: 78111a7165e3e7b02f3a7bf9736a5ae76228b391828b9807b904724e7990af78
                                          • Instruction Fuzzy Hash: F8611870A043809FDB51EF38D886B897BE5AB15308F0854F9EC48DF357DBB599888B61
                                          Function 00E4D1A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 287 e4d1a8-e4d1d2 288 e4d334-e4d352 287->288 289 e4d1d8-e4d206 287->289 294 e4d323-e4d32d 289->294 295 e4d20c-e4d216 289->295 294->288 296 e4d219-e4d225 call db9244 295->296 299 e4d316-e4d31d 296->299 300 e4d22b-e4d26d RegOpenKeyExW 296->300 299->294 299->296 300->299 302 e4d273-e4d2a7 300->302 304 e4d2f8-e4d30e 302->304 305 e4d2a9-e4d2e0 302->305 305->304 309 e4d2e2-e4d2ee 305->309 309->304
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(80000002,00000000), ref: 00E4D266
                                          Strings
                                          • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00E4D250
                                          • layout text, xrefs: 00E4D297
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                          • API String ID: 71445658-2652665750
                                          • Opcode ID: 135e0198edc5d44c9fd7cad5ad1b46a0a4131d12ed0e3f586d69d5c50a8db231
                                          • Instruction ID: 12ddbdfd715f72ddbf58c1b9ca97271084d04889cb5a86f20dc49924175f4a31
                                          • Opcode Fuzzy Hash: 135e0198edc5d44c9fd7cad5ad1b46a0a4131d12ed0e3f586d69d5c50a8db231
                                          • Instruction Fuzzy Hash: 30411574A04209AFDB11DFA4D982BADB7F9EB49704F5040A5EA04E7251E770AF04DB62
                                          Function 00DB9070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 310 db9070-db907d 311 db907f-db90a1 SetErrorMode 310->311 312 db90d0-db90d2 310->312 313 db90a3-db90ad 311->313 314 db90b2-db90c8 SetErrorMode 311->314 313->314
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008000), ref: 00DB9084
                                          • SetErrorMode.KERNELBASE(?,00DB90D0), ref: 00DB90C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID: imm32.dll
                                          • API String ID: 2340568224-1815517138
                                          • Opcode ID: d8a6fadab6329fa09cee1863d68c8b97ceeca09bcbdc74ef62c514034fe586dd
                                          • Instruction ID: bcfd08af69c08ec974e0d92513aa5d0dacddc778ef898535bc9b76b9af421648
                                          • Opcode Fuzzy Hash: d8a6fadab6329fa09cee1863d68c8b97ceeca09bcbdc74ef62c514034fe586dd
                                          • Instruction Fuzzy Hash: DEF02771908348EFE711EB6AAC22B69F7E8D706B10F9180E5F60C93590E6759D44DB30
                                          Function 00E99568 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 452 e99568-e99826 454 e99835-e99838 call e9bd76 452->454 456 e9983d-e99840 454->456 457 e99828-e99833 call e9be4f 456->457 458 e99842-e99843 456->458 457->454 461 e99844-e99850 457->461 462 e9986b-e9988f call e99801 call e9be77 461->462 463 e99852-e9986a call e997b4 call e9bd10 461->463 472 e99898-e9989e 462->472 463->462 473 e99891-e99894 472->473 474 e998a0-e998a3 472->474 475 e998a7-e998a8 473->475 476 e99896-e99897 473->476 474->475 477 e998a5 474->477 476->472 477->475
                                          APIs
                                          • _malloc.LIBCMT ref: 00E99838
                                            • Part of subcall function 00E9BD76: __FF_MSGBANNER.LIBCMT ref: 00E9BD99
                                            • Part of subcall function 00E9BD76: __NMSG_WRITE.LIBCMT ref: 00E9BDA0
                                            • Part of subcall function 00E9BD76: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00E9BDED
                                          • std::bad_alloc::bad_alloc.LIBCMT ref: 00E9985B
                                            • Part of subcall function 00E997B4: std::exception::exception.LIBCMT ref: 00E997C0
                                          • std::bad_exception::bad_exception.LIBCMT ref: 00E9986F
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                          • String ID:
                                          • API String ID: 832318072-0
                                          • Opcode ID: 555945e9e68c5763c3ea5338a6195bc127f9897bbca03fb94548447aac83bdb9
                                          • Instruction ID: 6ba58175f675f5c15b92e8dbbca1307c274dd4071012b96553dd6d2c54107a85
                                          • Opcode Fuzzy Hash: 555945e9e68c5763c3ea5338a6195bc127f9897bbca03fb94548447aac83bdb9
                                          • Instruction Fuzzy Hash: CB01D83140420D6A8F387B5AE8069EA37EDDF57768B14A02DF845BB153EB72ED45C290
                                          Function 00E60B40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 492 e60b40-e60bdf call e50d5c CreateProcessW 499 e60bf3-e60c15 492->499 500 e60be1-e60bed 492->500 500->499
                                          APIs
                                          • CreateProcessW.KERNELBASE(00000000,00000000), ref: 00E60BD8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: D
                                          • API String ID: 963392458-2746444292
                                          • Opcode ID: 3c564d9d751f4575b7cf28dd3555d3085e2b948f3b0e28bbe9ab257cfb79b591
                                          • Instruction ID: 9fb11e42d48f202f92c8ee884fa03d2906f248f15a885152adf118fa5e4d5fb2
                                          • Opcode Fuzzy Hash: 3c564d9d751f4575b7cf28dd3555d3085e2b948f3b0e28bbe9ab257cfb79b591
                                          • Instruction Fuzzy Hash: 00214770A4430CAFDF04EBE8D846B9EBBF9EB09700F5040A9F514B7291DB78AA058B55
                                          Function 00BBAF3C Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 504 bbaf3c-bbaf87 GetFileVersionInfoSizeW 508 bbaf89-bbafba GetFileVersionInfoW 504->508 509 bbaffc-bbb011 504->509 513 bbafdf-bbaff4 508->513 514 bbafbc-bbafd4 508->514 514->513 517 bbafd6-bbafdc 514->517 517->513
                                          APIs
                                          • GetFileVersionInfoSizeW.KERNELBASE(00000000), ref: 00BBAF7E
                                          • GetFileVersionInfoW.KERNELBASE(00000000), ref: 00BBAFB3
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000BAB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BAB000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_bab000_windows10.jbxd
                                          Similarity
                                          • API ID: FileInfoVersion$Size
                                          • String ID:
                                          • API String ID: 2104008232-0
                                          • Opcode ID: 019bbe7fa1949f9aaa258fbe4c0e5ad1fc440eb6dd376c873f5596a6418e0c7d
                                          • Instruction ID: a0def2db8a3f43b91604c9ea85bc6f84ce6c610f68569c8cba235df10318d96b
                                          • Opcode Fuzzy Hash: 019bbe7fa1949f9aaa258fbe4c0e5ad1fc440eb6dd376c873f5596a6418e0c7d
                                          • Instruction Fuzzy Hash: D7211D71A04609AFDB11EFA9CC82CFEB7FCEB49700B5144B5B510E3651EB749E049661
                                          Function 00E47B98 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 518 e47b98-e47bba 519 e47c2c-e47c34 518->519 520 e47bbc-e47bc9 call e4cee4 518->520 521 e47c36-e47c38 call e396d4 519->521 522 e47c3d-e47c41 519->522 520->519 528 e47bcb-e47bcf 520->528 521->522 525 e47c43-e47c45 522->525 526 e47c4d 522->526 529 e47c47-e47c4b 525->529 530 e47c4f-e47c57 525->530 526->530 531 e47bd1-e47be3 call e4ced0 528->531 529->526 529->530 532 e47c62-e47c64 530->532 533 e47c59-e47c5b 530->533 542 e47be5-e47bf3 call e4ced0 531->542 543 e47c26-e47c2a 531->543 535 e47d31-e47d3a call db2cf8 532->535 536 e47c6a-e47c6e 532->536 533->532 547 e47d3c-e47d46 call db2928 KiUserCallbackDispatcher 535->547 548 e47d4b-e47d52 535->548 539 e47c70-e47c77 536->539 540 e47c7d-e47c87 536->540 539->535 539->540 544 e47c92-e47c96 540->544 545 e47c89-e47c90 540->545 542->543 558 e47bf5-e47c21 542->558 543->519 543->531 549 e47c98-e47ca1 call db2cf8 544->549 550 e47d0c-e47d13 544->550 545->544 545->549 547->548 554 e47d54-e47d58 call e495c0 548->554 555 e47d5d-e47d6b call e47ad0 548->555 549->548 563 e47ca7-e47cc3 call db2928 549->563 550->548 553 e47d15-e47d1e call db2cf8 550->553 553->548 569 e47d20-e47d2f call db2928 553->569 554->555 567 e47db2-e47dc7 555->567 568 e47d6d-e47d71 555->568 558->543 584 e47cc5-e47ccc call dfd2a4 563->584 585 e47cfa-e47d0a call db2928 call e396d4 563->585 568->567 572 e47d73-e47d77 568->572 569->548 572->567 576 e47d79-e47dad call db2928 call daab94 * 2 572->576 576->567 594 e47ce1-e47cf4 call db2928 584->594 595 e47cce-e47cd6 584->595 585->548 594->585 595->594 597 e47cd8-e47cdf 595->597 597->585 597->594
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00E47DC8), ref: 00E47D46
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: 9b8bc7c450faf2bab2f06afd1257b1f5c4dbb28efc35b607459fb946c3f02d25
                                          • Instruction ID: e60754e59748caff0ad963beb88f8ac0fb6825b5822cfa45285f951a25563650
                                          • Opcode Fuzzy Hash: 9b8bc7c450faf2bab2f06afd1257b1f5c4dbb28efc35b607459fb946c3f02d25
                                          • Instruction Fuzzy Hash: 7B518431A082405BDB15AF39ECC57AA76D5AF06708F0464B5FC85BB297CB74DC89C7A0
                                          Function 00E6A114 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 601 e6a114-e6a121 602 e6a127-e6a1a6 601->602 603 e6a3be-e6a3c4 601->603 608 e6a1b2-e6a1d1 602->608 609 e6a1a8-e6a1ad GetNativeSystemInfo 602->609 610 e6a1e5-e6a232 608->610 611 e6a1d3-e6a1da 608->611 609->608 612 e6a237-e6a24e 610->612 611->612 613 e6a1dc-e6a1e3 611->613 616 e6a254-e6a255 612->616 617 e6a33d-e6a345 612->617 613->610 613->612 616->603 618 e6a25b-e6a263 616->618 619 e6a347 617->619 620 e6a34e-e6a35d 617->620 621 e6a276-e6a27e 618->621 622 e6a265 618->622 623 e6a35f-e6a36e 619->623 624 e6a349-e6a34a 619->624 620->603 628 e6a294-e6a2a3 621->628 629 e6a280-e6a28f 621->629 626 e6a267-e6a268 622->626 627 e6a2a8-e6a2b0 622->627 623->603 630 e6a370-e6a378 624->630 631 e6a34c 624->631 637 e6a2da-e6a2e2 626->637 638 e6a26a-e6a26b 626->638 633 e6a2c6-e6a2d5 627->633 634 e6a2b2-e6a2c1 627->634 628->603 629->603 635 e6a393-e6a39c 630->635 636 e6a37a-e6a380 630->636 631->603 633->603 634->603 652 e6a39e-e6a3ad 635->652 653 e6a3af-e6a3b4 635->653 636->635 640 e6a382-e6a391 636->640 641 e6a2e4-e6a2f3 637->641 642 e6a2f8-e6a307 637->642 643 e6a271 638->643 644 e6a30c-e6a313 638->644 640->603 641->603 642->603 643->603 655 e6a315-e6a324 644->655 656 e6a329-e6a338 644->656 652->603 653->603 655->603 656->603
                                          APIs
                                          • GetNativeSystemInfo.KERNELBASE(?), ref: 00E6A1AD
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000E6A000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E6A000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e6a000_windows10.jbxd
                                          Similarity
                                          • API ID: InfoNativeSystem
                                          • String ID:
                                          • API String ID: 1721193555-0
                                          • Opcode ID: f2ed8173318717b188ad4a24464958dab18e7e0e38b25074eb853c945656a434
                                          • Instruction ID: 984e7b7db02f8ac309b61bcd5f2b311131a172bd249882d8edd7ba7d10847538
                                          • Opcode Fuzzy Hash: f2ed8173318717b188ad4a24464958dab18e7e0e38b25074eb853c945656a434
                                          • Instruction Fuzzy Hash: CC619230A986409FCB24EB2AE94569E73F1FB81348F24647AE149B7365D671C98CCF03
                                          Function 00E4D5D8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000029,00000000,?,00000000,?,00000000,00E3F730,?,00E4CC47,00000000,00000000,00E4783C,6E6F4646,?,?,00000000), ref: 00E4D681
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem
                                          • String ID:
                                          • API String ID: 3098949447-0
                                          • Opcode ID: baa4edde3e3948f9d9414e3c519a28c06d09b81300b5cc3d123bf995a88d512d
                                          • Instruction ID: b1f16b16821fab350ae50faeac70027dd28d70d678f17b72292fc898619d4056
                                          • Opcode Fuzzy Hash: baa4edde3e3948f9d9414e3c519a28c06d09b81300b5cc3d123bf995a88d512d
                                          • Instruction Fuzzy Hash: E94141306082049BEB50FBB8DC86B9A37E9EF45B00F5440B2B90CEB257DE749D858B75
                                          Function 00E8B5B0 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00E8B655
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E8B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E8B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e8b000_windows10.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: d4bad12da2fdd539c0c8a4a10605c6f181b2f49d6bab8bfff8aac16ca0e965f8
                                          • Instruction ID: abf837373630e6158cd0a534efef4e1e2975a5959e0fe2926338a61f4462d1f9
                                          • Opcode Fuzzy Hash: d4bad12da2fdd539c0c8a4a10605c6f181b2f49d6bab8bfff8aac16ca0e965f8
                                          • Instruction Fuzzy Hash: 3911AB2064460A1BEF29997DCC01FAE7BA6CBC2334F08837DA51A8B5D4EA3084044796
                                          Function 00E8B610 Relevance: 1.5, APIs: 1, Instructions: 44injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00E8B655
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E8B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E8B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e8b000_windows10.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 5429865e6951855d6711af4d11da7e6a40cb0d06f152d3c263eb90cf91d7c082
                                          • Instruction ID: e42259e7c3ac3ab417dfef81d7a54dec9e575988c18b0794bd85260ad91793e3
                                          • Opcode Fuzzy Hash: 5429865e6951855d6711af4d11da7e6a40cb0d06f152d3c263eb90cf91d7c082
                                          • Instruction Fuzzy Hash: 4BF0247174010D26EB1498BC9C42BBEBBAACBC2B34F1883A9B91CD62E4F57098054392
                                          Function 00E4CFFC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadCursorW.USER32(00000000,00000000,?,?,?,00E3F730,00E4CB5F,?,?,00000000,?,00DB93F0), ref: 00E4D036
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: CursorLoad
                                          • String ID:
                                          • API String ID: 3238433803-0
                                          • Opcode ID: 06ada810d5811e9ef668e90a7ee6fad5280deb3ab1d55359838d870f54d8f4f3
                                          • Instruction ID: eb24114a64a504fd562f8d8d1afb8501b661f05b1a6005f736ce0ed153528918
                                          • Opcode Fuzzy Hash: 06ada810d5811e9ef668e90a7ee6fad5280deb3ab1d55359838d870f54d8f4f3
                                          • Instruction Fuzzy Hash: 33F0A0217092405BD6209A3D6CC1F6EB2CACB86734F301376F96DBB2D1CA222C0616A0
                                          Function 00DA94B0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00DA94EB
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000D6D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d6d000_windows10.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                          • Instruction ID: e0bbe715bca3811110881742a92ef003db1fcb23f4917bcbe1fd8e336695c67c
                                          • Opcode Fuzzy Hash: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                          • Instruction Fuzzy Hash: D4F0DA762047119FC310DF5CC88494BB7E9EF89259F044A59F986DB351C771E814CB92
                                          Function 00E99556 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • _malloc.LIBCMT ref: 00E99838
                                            • Part of subcall function 00E9BD76: __FF_MSGBANNER.LIBCMT ref: 00E9BD99
                                            • Part of subcall function 00E9BD76: __NMSG_WRITE.LIBCMT ref: 00E9BDA0
                                            • Part of subcall function 00E9BD76: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00E9BDED
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_malloc
                                          • String ID:
                                          • API String ID: 501242067-0
                                          • Opcode ID: 9fddc94e5dbf1e6244022615b92a186c3a5620306a6be185b52e64ba786d58d8
                                          • Instruction ID: 8f69b9a96517b0b8192c76760803c6c8329b4058781941795ca58e50fda12f61
                                          • Opcode Fuzzy Hash: 9fddc94e5dbf1e6244022615b92a186c3a5620306a6be185b52e64ba786d58d8
                                          • Instruction Fuzzy Hash: D0D0A53140440797CD34377D68479FD3F684E62358714501DEC05B5553DF10C442C1F1
                                          Function 01FBE803 Relevance: 1.5, APIs: 1, Instructions: 2memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3459024386.0000000001FBE000.00000020.00000001.01000000.00000007.sdmp, Offset: 01FBE000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_1fbe000_windows10.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 1cd2bee3fedb13dc864a1c265ba0436006c7382bc4546c655e6af267fabb5800
                                          • Instruction ID: 3d580d4e93db6c0e89f7820cc6fd3ca7711576e4a0fa13774740922cf49c2a10
                                          • Opcode Fuzzy Hash: 1cd2bee3fedb13dc864a1c265ba0436006c7382bc4546c655e6af267fabb5800
                                          • Instruction Fuzzy Hash:
                                          Function 014CEBD9 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3400642820.00000000014CE000.00000020.00000001.01000000.00000007.sdmp, Offset: 014CE000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_14ce000_windows10.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9b4239a911e7e84118b4e7440e4cb193b309225871a67dc48efbe305a92cee8
                                          • Instruction ID: a60eb61ae96118c9f1a404633ddca112c007656552541d90509ee3d61ae17077
                                          • Opcode Fuzzy Hash: a9b4239a911e7e84118b4e7440e4cb193b309225871a67dc48efbe305a92cee8
                                          • Instruction Fuzzy Hash: 1AF0E535B0176B5B97219E5E8CE0ABBB3EC6F15A11B850115FC95AB7C1D764EC0052E0

                                          Non-executed Functions

                                          Function 014CE8AD Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3400642820.00000000014CE000.00000020.00000001.01000000.00000007.sdmp, Offset: 014CE000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_14ce000_windows10.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: L
                                          • API String ID: 0-2909332022
                                          • Opcode ID: 4849debe4830302fdb5f84a692ac7c13ec1e2517c37a2ddb982db19de50c29b8
                                          • Instruction ID: 450fad6f4afe9e369b7fe039dea7cb92e474822f669041eb8bb3b1faf547896a
                                          • Opcode Fuzzy Hash: 4849debe4830302fdb5f84a692ac7c13ec1e2517c37a2ddb982db19de50c29b8
                                          • Instruction Fuzzy Hash: CF5119316187128BC718EF38E4904EAB3E6FFC9325F248A7D9496936D4D7356905CF41
                                          Function 00E9B65D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 113COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsSetValue.KERNEL32(00000000,?,?,00E9A521), ref: 00E9B720
                                          • __init_pointers.LIBCMT ref: 00E9B72A
                                          • __mtterm.LIBCMT ref: 00E9B7E0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: Value__init_pointers__mtterm
                                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                          • API String ID: 345306816-3819984048
                                          • Opcode ID: 097340bbac32eff8404cc41e97caf3002a0a86e6416778b7cf0cbd59d3adf328
                                          • Instruction ID: 5739d28f53b001978d3fc00b1511e01ae3b0d781610ef236766b8366c9357229
                                          • Opcode Fuzzy Hash: 097340bbac32eff8404cc41e97caf3002a0a86e6416778b7cf0cbd59d3adf328
                                          • Instruction Fuzzy Hash: 483185304043159ECF216FB6BE4661B3BE4AF8F714715663AE424F71B1EB78A84A8B50
                                          Function 00E9ED2A Relevance: 13.8, APIs: 9, Instructions: 346COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000100,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,?,?,?,?), ref: 00E9EDFA
                                          • _malloc.LIBCMT ref: 00E9EE33
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00E9EE66
                                          • _malloc.LIBCMT ref: 00E9EEF5
                                          • __freea.LIBCMT ref: 00E9EF4D
                                          • __freea.LIBCMT ref: 00E9EF56
                                          • _malloc.LIBCMT ref: 00E9F00B
                                          • _memset.LIBCMT ref: 00E9F02D
                                          • __freea.LIBCMT ref: 00E9F078
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: __freea_malloc$ByteCharMultiWide$_memset
                                          • String ID:
                                          • API String ID: 340271106-0
                                          • Opcode ID: 8eb03e5b3367a3b10ab05cbfaaa3a9a90f746af4d4baf6fced65b3b71799671e
                                          • Instruction ID: bd1a697850fe1736940418df8282846e0a49aea0e58d4dcd46cd1540a93a1b41
                                          • Opcode Fuzzy Hash: 8eb03e5b3367a3b10ab05cbfaaa3a9a90f746af4d4baf6fced65b3b71799671e
                                          • Instruction Fuzzy Hash: BCB19CB2900119AFDF21DFA4CC818EE7BBAEF48318B14552AFA14B6261D731CD50DBA0
                                          Function 00EA1E73 Relevance: 9.2, APIs: 6, Instructions: 177COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _strlen.LIBCMT ref: 00EA1EF5
                                          • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,00000000,?,00E9F2FE,?,?,?,?,?,?,?,?), ref: 00EA1F35
                                          • _malloc.LIBCMT ref: 00EA1F45
                                          • _memset.LIBCMT ref: 00EA1F6D
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,?,?,?,?,?,00E9F2FE,?), ref: 00EA1F84
                                          • __freea.LIBCMT ref: 00EA200C
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$__freea_malloc_memset_strlen
                                          • String ID:
                                          • API String ID: 3923921168-0
                                          • Opcode ID: d0c263437e3f12dfbea9cb708eef3a7a53d26cc1906046dd404562a0ac5f737f
                                          • Instruction ID: c41296a40601a9a2bff4ebb36599a892e80dcd584123709cfedd27185c170959
                                          • Opcode Fuzzy Hash: d0c263437e3f12dfbea9cb708eef3a7a53d26cc1906046dd404562a0ac5f737f
                                          • Instruction Fuzzy Hash: 96517B31900159AECF219FA9DC84DEFBBB9EF8E764F20515AF518BA190D731AC41CB60
                                          Function 00E9A86A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: String___crt$Type_memset
                                          • String ID:
                                          • API String ID: 1957702402-3916222277
                                          • Opcode ID: 97fc0fded6e7d23c012b2fbc772ee3c7ea9db419e9d7465843b4455977543f5e
                                          • Instruction ID: 2fa8bf0d3b3b58c5e43a552cc29aba31df1f8296b0385750e6380695c87b6f09
                                          • Opcode Fuzzy Hash: 97fc0fded6e7d23c012b2fbc772ee3c7ea9db419e9d7465843b4455977543f5e
                                          • Instruction Fuzzy Hash: D341277010075C5EDF318A24DC99BFBBBF8AF45308F2854F8E58697183D1719A458F61
                                          Function 00EA4660 Relevance: 7.8, APIs: 5, Instructions: 263COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _ValidateScopeTableHandlers.LIBCMT ref: 00EA4761
                                          • __FindPESection.LIBCMT ref: 00EA477B
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: FindHandlersScopeSectionTableValidate
                                          • String ID:
                                          • API String ID: 876702719-0
                                          • Opcode ID: 3647124ab908d2a926a29e3d38deedc37a0ad676255fe8fcfa3e3814b07bd485
                                          • Instruction ID: bc486cbb9cdb249ce7796f3d60adc899261f813b00f22f8fd1c2dc8b212dd6ad
                                          • Opcode Fuzzy Hash: 3647124ab908d2a926a29e3d38deedc37a0ad676255fe8fcfa3e3814b07bd485
                                          • Instruction Fuzzy Hash: B091AFB2A006598FCB14CB59D8406AAB3A5EBCF324F159179E855BB2E1D7B1FC01CB90
                                          Function 00E9F114 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00E9F2FE,?,?,?), ref: 00E9F1BA
                                          • _malloc.LIBCMT ref: 00E9F1EF
                                            • Part of subcall function 00EA1E73: _strlen.LIBCMT ref: 00EA1EF5
                                            • Part of subcall function 00EA1E73: _memset.LIBCMT ref: 00EA1F6D
                                            • Part of subcall function 00EA1E73: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,?,?,?,?,?,00E9F2FE,?), ref: 00EA1F84
                                          • _memset.LIBCMT ref: 00E9F20F
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00E9F224
                                          • __freea.LIBCMT ref: 00E9F23C
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$_memset$__freea_malloc_strlen
                                          • String ID:
                                          • API String ID: 574822426-0
                                          • Opcode ID: 933373debf00600c6b00e5bd7f80f27412ae6dedf81fc2729448334f22a5f1c8
                                          • Instruction ID: 3ee2271ba6f6a1a04394256f667d2469146af8e683156c9af51a087c6d1087f0
                                          • Opcode Fuzzy Hash: 933373debf00600c6b00e5bd7f80f27412ae6dedf81fc2729448334f22a5f1c8
                                          • Instruction Fuzzy Hash: BF517EB690010AEFDF109FA5DC81AAF7BA9EF19358B14543AF914E6261D730DD608BE0
                                          Function 00EA3BA9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CreateFrameInfo.LIBCMT ref: 00EA3BD1
                                            • Part of subcall function 00EA34C1: __getptd.LIBCMT ref: 00EA34CF
                                            • Part of subcall function 00EA34C1: __getptd.LIBCMT ref: 00EA34DD
                                          • __getptd.LIBCMT ref: 00EA3BDB
                                            • Part of subcall function 00E9B4A6: __amsg_exit.LIBCMT ref: 00E9B4B6
                                          • __getptd.LIBCMT ref: 00EA3BE9
                                          • __getptd.LIBCMT ref: 00EA3BF7
                                          • __getptd.LIBCMT ref: 00EA3C02
                                            • Part of subcall function 00EA3566: __CallSettingFrame@12.LIBCMT ref: 00EA35B2
                                            • Part of subcall function 00EA3CCF: __getptd.LIBCMT ref: 00EA3CDE
                                            • Part of subcall function 00EA3CCF: __getptd.LIBCMT ref: 00EA3CEC
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit
                                          • String ID:
                                          • API String ID: 3174811152-0
                                          • Opcode ID: a72c5bb60febf9a8bf81f6048ee2bc2845cac0b113e0788261690b838858d8ca
                                          • Instruction ID: a3cf6dc9755669296fe90fb7b0ecc73f974c34d99aaaf911a68421ef6b1fb4bb
                                          • Opcode Fuzzy Hash: a72c5bb60febf9a8bf81f6048ee2bc2845cac0b113e0788261690b838858d8ca
                                          • Instruction Fuzzy Hash: 9311E771D00209AFDF00EFA4D945AAD7BF0BF08314F109069F824AB252EB389A119F50
                                          Function 00E9DB21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___initmbctable.LIBCMT ref: 00E9DB36
                                            • Part of subcall function 00E9AE9C: __setmbcp.LIBCMT ref: 00E9AEA7
                                          • _parse_cmdline.LIBCMT ref: 00E9DB78
                                          • _parse_cmdline.LIBCMT ref: 00E9DBB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: _parse_cmdline$___initmbctable__setmbcp
                                          • String ID: C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                          • API String ID: 1290970244-3051256841
                                          • Opcode ID: 8e925460c07633fb6833b7760f2e511026bceddce394d173bbcb157112933824
                                          • Instruction ID: b18cba5ee1579d8c0b12ca6990b1ac6ddf783bf6a17b002f3c8bd271bc2e91a0
                                          • Opcode Fuzzy Hash: 8e925460c07633fb6833b7760f2e511026bceddce394d173bbcb157112933824
                                          • Instruction Fuzzy Hash: 3C21B7B1904268AFCF10EBB59C809DF7BB8EB85724B211675E515F7150E2306E49CB90
                                          Function 00B98494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00B984C3
                                          • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,00B98540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00B984F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B91000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_b91000_windows10.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InformationLogicalProcessor
                                          • String ID: GetLogicalProcessorInformation$kernel32.dll
                                          • API String ID: 1773637529-812649623
                                          • Opcode ID: c88195be0d9f7f6329cf01744f8e151ec47d9b344e38ee6a8fa276f2ee9ff2b7
                                          • Instruction ID: 1552be4743665256dad6257c75b17bacbfd1d4f92f30feb8fe5c1c7b53356a46
                                          • Opcode Fuzzy Hash: c88195be0d9f7f6329cf01744f8e151ec47d9b344e38ee6a8fa276f2ee9ff2b7
                                          • Instruction Fuzzy Hash: AE11B271D08208AEEF10EBA4DC43B6DB7E9EB12314F2680F5F40896191DF35DE88C615
                                          Function 00B98492 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00B984C3
                                          • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,00B98540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00B984F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B91000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_b91000_windows10.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InformationLogicalProcessor
                                          • String ID: GetLogicalProcessorInformation$kernel32.dll
                                          • API String ID: 1773637529-812649623
                                          • Opcode ID: 8f702d6350ba523e75578381ba5b0dd2617bc23bed06e36fbedba4b59cf3e566
                                          • Instruction ID: dc230693fec7368a8ee09dac5cfd99dda284a7f6269addf513bc3b2fd252d48e
                                          • Opcode Fuzzy Hash: 8f702d6350ba523e75578381ba5b0dd2617bc23bed06e36fbedba4b59cf3e566
                                          • Instruction Fuzzy Hash: FC018071D04208AEEF10EBA48C42A6DB7E9DB12314F1281F5F408D6091EF71DE888614
                                          Function 00B9C860 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetThreadUILanguage.KERNEL32(?,00000000), ref: 00B9C871
                                          • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 00B9C8CF
                                          • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00B9C92C
                                          • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00B9C95F
                                            • Part of subcall function 00B9C81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00B9C8DD), ref: 00B9C833
                                            • Part of subcall function 00B9C81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00B9C8DD), ref: 00B9C850
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3318963670.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B91000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_b91000_windows10.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Thread$LanguagesPreferred$Language
                                          • String ID:
                                          • API String ID: 2255706666-0
                                          • Opcode ID: ef6208c0063ea6069ddfcc7b2ae5f5ac251ff655297502d4dde7e9c4ca196600
                                          • Instruction ID: 43a37a2e0cfcf9b06ff4d69f33ddf1870b0573dd48fd73d10eb52209989fc471
                                          • Opcode Fuzzy Hash: ef6208c0063ea6069ddfcc7b2ae5f5ac251ff655297502d4dde7e9c4ca196600
                                          • Instruction Fuzzy Hash: 74312970E0021E9BDF10DFE9C885AAEBBF9FF09314F1041B5E565E7291DB749A048B90
                                          Function 00E9B1DF Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsGetValue.KERNEL32(00000000,?,00E9B258,00000000,00EA22DC,00EAF6D0,00000000,00000314,?,00E9FE01,00EAF6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00E9B1F1
                                          • TlsGetValue.KERNEL32(00EAC658,?,00E9B258,00000000,00EA22DC,00EAF6D0,00000000,00000314,?,00E9FE01,00EAF6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00E9B208
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: Value
                                          • String ID: EncodePointer$KERNEL32.DLL
                                          • API String ID: 3702945584-3682587211
                                          • Opcode ID: b851250b2764d4c00b0b2bb5e24e34be8caad533da7a038171194414669888c3
                                          • Instruction ID: dde3d1a1081ac0952114de666c66c23847614c5f49b747634fdd5b1070c1c8e9
                                          • Opcode Fuzzy Hash: b851250b2764d4c00b0b2bb5e24e34be8caad533da7a038171194414669888c3
                                          • Instruction Fuzzy Hash: 5C01F730540255AADF10AB7AED05E9E3FD89F47368B185121FC08FF5B1DB31E94186E0
                                          Function 00E9B25A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsGetValue.KERNEL32(00000000,?,00E9B2F5), ref: 00E9B26C
                                          • TlsGetValue.KERNEL32(00EAC658,?,00E9B2F5), ref: 00E9B283
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: Value
                                          • String ID: DecodePointer$KERNEL32.DLL
                                          • API String ID: 3702945584-629428536
                                          • Opcode ID: c02e3078a866b8368691d4b0bff44e7517393c968bf47287c61d5da9c6a652b8
                                          • Instruction ID: 119ad503583f1c0287a3722db39cc4b2130c77672c41fc79f4e59edbb08eb991
                                          • Opcode Fuzzy Hash: c02e3078a866b8368691d4b0bff44e7517393c968bf47287c61d5da9c6a652b8
                                          • Instruction Fuzzy Hash: 3CF0313090011A6A9F116B6AEE41AAE3B9DDF4A3A47285530FC0CF7170DB20ED4186E0
                                          Function 00EA393A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: CallFrame@12Setting__getptd
                                          • String ID: j
                                          • API String ID: 3454690891-2137352139
                                          • Opcode ID: 97078df5c2dfd08c4eb46923fe4bebefc500b1d594d003d82632aa9162780268
                                          • Instruction ID: 1697e74ba44cf3aa578217afee5b9f420dced5a3e4ddd61d27306f6c92cb0159
                                          • Opcode Fuzzy Hash: 97078df5c2dfd08c4eb46923fe4bebefc500b1d594d003d82632aa9162780268
                                          • Instruction Fuzzy Hash: 6711AC71905250DFDB12DF68D44539DBBB0BF4A718F28918AE4A87F182C3B16A00CB81
                                          Function 00EA3F56 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___BuildCatchObject.LIBCMT ref: 00EA3F69
                                            • Part of subcall function 00EA3EC4: ___BuildCatchObjectHelper.LIBCMT ref: 00EA3EFA
                                          • _UnwindNestedFrames.LIBCMT ref: 00EA3F80
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                          • String ID: csm
                                          • API String ID: 3487967840-1018135373
                                          • Opcode ID: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                          • Instruction ID: 58b9d091495bdd326fb947ba60da3d14d6aeef214c3b953068b90e2133c1edbc
                                          • Opcode Fuzzy Hash: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                          • Instruction Fuzzy Hash: C901F635501109BFDF126F61CC45EEA7FAAEF0A354F009014FD5829161D776BAB1EBA0
                                          Function 00EA3CCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 00EA3CDE
                                            • Part of subcall function 00E9B4A6: __amsg_exit.LIBCMT ref: 00E9B4B6
                                          • __getptd.LIBCMT ref: 00EA3CEC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.3396387450.0000000000E99000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E99000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_e99000_windows10.jbxd
                                          Similarity
                                          • API ID: __getptd$__amsg_exit
                                          • String ID: csm
                                          • API String ID: 1969926928-1018135373
                                          • Opcode ID: 26a396b7f8d6ad0d22a1f8c91d29c0213ce2de7ad14ed7ed1dde7fea289fa1f0
                                          • Instruction ID: ff63de888e6575d42c77be879f9875c9fae700cf795af1a69f952b7398781019
                                          • Opcode Fuzzy Hash: 26a396b7f8d6ad0d22a1f8c91d29c0213ce2de7ad14ed7ed1dde7fea289fa1f0
                                          • Instruction Fuzzy Hash: 11012834800204DBCF349F74D441AACFBF6AF1A715F24642AF0527E251DB31AA80DA52

                                          Execution Graph

                                          Execution Coverage:1.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:260
                                          Total number of Limit Nodes:28
                                          execution_graph 76859 d0b610 76860 d0b665 76859->76860 76861 d0b63b 76859->76861 76861->76860 76862 d0b642 WriteProcessMemory 76861->76862 77023 c3a110 77024 c3a230 77023->77024 77026 c3a13e 77023->77026 77026->77024 77027 c3a304 77026->77027 77028 c3a32c 77027->77028 77031 c3a26c 77028->77031 77030 c3a337 77030->77024 77034 c399a4 77031->77034 77033 c3a28f 77033->77030 77035 c399aa 77034->77035 77038 c35af0 77035->77038 77037 c399bf 77037->77033 77039 c35afa 77038->77039 77040 c2cae4 RegOpenKeyExW 77039->77040 77041 c35b10 77040->77041 77041->77037 76863 a1dc44 76864 a1dc4c 76863->76864 76865 a1dc88 76864->76865 76867 a1c184 76864->76867 76868 a1c1a9 76867->76868 76869 a1c193 76867->76869 76868->76865 76869->76868 76871 a1c13c 76869->76871 76872 a1c14c 76871->76872 76874 a1c168 76871->76874 76875 a1d3b4 76872->76875 76874->76868 76876 a1d3f5 76875->76876 76879 a1d290 76876->76879 76878 a1d42e 76878->76874 76881 a1d2b1 76879->76881 76880 a1d32c 76880->76878 76881->76880 76885 a1c97c 76881->76885 76883 a1d348 76883->76880 76884 a1c97c 6 API calls 76883->76884 76884->76880 76886 a1c99f 76885->76886 76888 a1c9a8 76886->76888 76889 a1c860 6 API calls 76886->76889 76888->76883 76889->76888 76890 a1ee44 76892 a1ee4f 76890->76892 76894 a19498 76892->76894 76895 a194a7 76894->76895 76898 a197dc 76895->76898 76899 a1942c 76895->76899 76900 a19474 76899->76900 76901 a1943c 76899->76901 76901->76900 76903 ceb794 76901->76903 76904 ceb7ae 76903->76904 76905 ceb7c1 76903->76905 76907 c392fc 76904->76907 76905->76901 76908 c39322 GlobalAddAtomW 76907->76908 76910 c39370 76908->76910 76917 c39070 76910->76917 76912 c393d1 76922 cccb1c 76912->76922 76914 c393f0 76928 cce394 76914->76928 76916 c39410 76916->76905 76918 c390d0 76917->76918 76919 c3907f SetErrorMode 76917->76919 76918->76912 76920 c390a3 76919->76920 76921 c390b2 SetErrorMode 76919->76921 76920->76921 76921->76912 76923 cccb26 76922->76923 76932 cccffc 76923->76932 76925 cccb5f 76936 ccd5d8 76925->76936 76927 cccc47 76927->76914 76929 cce3a3 76928->76929 76930 cce4a7 LoadIconW 76929->76930 76931 cce4ca 76930->76931 76931->76916 76933 ccd00e 76932->76933 76934 ccd032 LoadCursorW 76933->76934 76935 ccd04f 76933->76935 76934->76933 76935->76925 76937 ccd5f2 76936->76937 76938 ccd66c SystemParametersInfoW 76937->76938 76939 ccd68a 76938->76939 76939->76927 76940 ce0c48 76943 ce0c50 76940->76943 76941 ce0cdb 76944 ce0d25 76941->76944 76953 ce0e9b 76941->76953 76954 cd0354 76941->76954 76943->76941 76945 cd0354 2 API calls 76943->76945 76946 cd0354 2 API calls 76944->76946 76947 ce0d6f 76944->76947 76945->76941 76946->76947 76948 cd0354 2 API calls 76947->76948 76951 ce0db9 76947->76951 76948->76951 76949 ce0e45 76950 cd0354 2 API calls 76949->76950 76949->76953 76950->76953 76951->76949 76952 cd0354 2 API calls 76951->76952 76952->76949 76955 cd036e 76954->76955 76958 cc544c 76955->76958 76956 cd03cd 76956->76944 76959 cc5460 76958->76959 76965 cc4a24 76959->76965 76961 cc5486 76962 cc558f 76961->76962 76969 abe834 76961->76969 76962->76956 76963 cc5517 76963->76956 76966 cc4a2d 76965->76966 76973 c2cae4 76966->76973 76968 cc4a43 76968->76961 76970 abe84a 76969->76970 76985 abe7a8 76970->76985 76972 abe89a 76972->76963 76974 c2caf5 76973->76974 76975 c2cb79 76974->76975 76977 ccd3ec 76974->76977 76975->76968 76980 ccd1a8 76977->76980 76979 ccd3f9 76979->76975 76981 ccd323 76980->76981 76982 ccd1d8 76980->76982 76981->76979 76982->76981 76983 ccd260 RegOpenKeyExW 76982->76983 76983->76982 76984 ccd273 76983->76984 76984->76979 76986 abe80c 76985->76986 76987 abe7c9 76985->76987 76986->76972 76987->76986 76988 abe7a8 KiUserCallbackDispatcher 76987->76988 76989 abe7e1 76988->76989 76991 abd0a0 76989->76991 76992 abd0b1 76991->76992 76993 abd11d 76992->76993 76996 ac54a4 76992->76996 76993->76986 76997 ac54c0 76996->76997 77000 acad64 76997->77000 76999 abd0fc 76999->76986 77001 acad9d 77000->77001 77004 c294b0 77001->77004 77002 acaf5c 77002->76999 77005 c294ca KiUserCallbackDispatcher 77004->77005 77005->77002 77006 c7cee0 77007 c7cee9 77006->77007 77009 c7cef5 77006->77009 77010 c78164 77007->77010 77011 c7816e 77010->77011 77012 c781e4 77011->77012 77014 a3af3c 77011->77014 77012->77009 77015 a3af69 GetFileVersionInfoSizeW 77014->77015 77017 a3affc 77015->77017 77018 a3af89 GetFileVersionInfoW 77015->77018 77017->77012 77020 a3afbc 77018->77020 77020->77012 77042 d1a726 77043 d1a731 __DllMainCRTStartup@12 77042->77043 77046 d1a630 77043->77046 77045 d1a744 77047 d1a63c _flsall 77046->77047 77048 d1a6d9 _flsall 77047->77048 77050 d1a689 77047->77050 77054 d1a4fb 77047->77054 77048->77045 77050->77048 77051 d1a6b9 77050->77051 77053 d1a4fb ___DllMainCRTStartup 24 API calls 77050->77053 77051->77048 77052 d1a4fb ___DllMainCRTStartup 24 API calls 77051->77052 77052->77048 77053->77051 77055 d1a586 77054->77055 77062 d1a50a ___DllMainCRTStartup 77054->77062 77056 d1a5bd 77055->77056 77057 d1a58c 77055->77057 77058 d1a5c2 77056->77058 77059 d1a61b 77056->77059 77060 d1a5a7 77057->77060 77067 d1a515 77057->77067 77104 d1d5aa 9 API calls _doexit 77057->77104 77108 d1b2d5 TlsGetValue TlsGetValue TlsGetValue TlsSetValue _raise 77058->77108 77059->77067 77113 d1b5ef 12 API calls 2 library calls 77059->77113 77060->77067 77105 d1d85b 9 API calls __setenvp 77060->77105 77062->77067 77096 d1b65d 11 API calls 6 library calls 77062->77096 77064 d1a5c7 77109 d1d25a 9 API calls __calloc_impl 77064->77109 77067->77050 77070 d1a525 77097 d1dd8f HeapFree HeapFree 77070->77097 77071 d1a5b1 77106 d1b309 10 API calls 2 library calls 77071->77106 77072 d1a5d3 77072->77067 77110 d1b25a TlsGetValue TlsGetValue __onexit_nolock 77072->77110 77076 d1a5b6 77107 d1dd8f HeapFree HeapFree 77076->77107 77077 d1a5f1 77079 d1a5f8 77077->77079 77080 d1a60f 77077->77080 77111 d1b346 9 API calls 3 library calls 77079->77111 77112 d1a749 9 API calls 2 library calls 77080->77112 77081 d1a521 __RTC_Initialize 77081->77070 77098 d1d607 9 API calls 3 library calls 77081->77098 77085 d1a5ff 77085->77050 77086 d1a54b 77087 d1a54f 77086->77087 77100 d1db21 15 API calls 3 library calls 77086->77100 77099 d1b309 10 API calls 2 library calls 77087->77099 77090 d1a55b 77091 d1a56f 77090->77091 77101 d1d8a9 15 API calls 5 library calls 77090->77101 77091->77067 77103 d1d85b 9 API calls __setenvp 77091->77103 77094 d1a564 77094->77091 77102 d1d3e3 11 API calls 5 library calls 77094->77102 77096->77081 77097->77067 77098->77086 77099->77070 77100->77090 77101->77094 77102->77091 77103->77087 77104->77060 77105->77071 77106->77076 77107->77067 77108->77064 77109->77072 77110->77077 77111->77085 77112->77067 77113->77067 77114 d19568 77116 d1981e 77114->77116 77117 d19842 77116->77117 77121 d19844 std::bad_alloc::bad_alloc 77116->77121 77124 d1bd76 77116->77124 77140 d1be4f TlsGetValue TlsGetValue _raise 77116->77140 77119 d1986a 77142 d19801 9 API calls std::exception::exception 77119->77142 77121->77119 77141 d1bd10 11 API calls __cinit 77121->77141 77123 d19874 FindHandler 77125 d1be29 77124->77125 77131 d1bd88 _malloc 77124->77131 77149 d1be4f TlsGetValue TlsGetValue _raise 77125->77149 77127 d1be2f 77150 d1ba3e 9 API calls _raise 77127->77150 77130 d1be21 77130->77116 77131->77130 77134 d1bde5 RtlAllocateHeap 77131->77134 77135 d1be15 77131->77135 77138 d1be1a 77131->77138 77143 d1fe3d 9 API calls 2 library calls 77131->77143 77144 d1fc92 9 API calls 6 library calls 77131->77144 77145 d1bd27 9 API calls 3 library calls 77131->77145 77146 d1be4f TlsGetValue TlsGetValue _raise 77131->77146 77134->77131 77147 d1ba3e 9 API calls _raise 77135->77147 77148 d1ba3e 9 API calls _raise 77138->77148 77140->77116 77141->77119 77142->77123 77143->77131 77144->77131 77145->77131 77146->77131 77147->77138 77148->77130 77149->77127 77150->77130 77151 cea114 77152 cea127 77151->77152 77154 cea1b2 77151->77154 77153 cea1a8 GetNativeSystemInfo 77152->77153 77152->77154 77153->77154 77155 c2f118 77158 cc6710 77155->77158 77156 c2f147 77159 cc672a 77158->77159 77162 cc672f 77158->77162 77161 cc6801 77159->77161 77159->77162 77163 c2f53c 3 API calls 77161->77163 77164 cc6827 77162->77164 77165 c2f53c 77162->77165 77163->77164 77164->77156 77171 c2f556 77165->77171 77166 c2f5b0 77167 c2f5d9 77166->77167 77172 c2f5b5 77166->77172 77168 c2f72e 77167->77168 77179 c2f5bb 77167->77179 77169 c2acc0 3 API calls 77168->77169 77178 c2f739 77169->77178 77170 c2f5f5 77175 c2fa7b 77170->77175 77170->77179 77184 c7d288 GetFileVersionInfoSizeW GetFileVersionInfoW 77170->77184 77171->77166 77171->77170 77171->77178 77176 c2f9ec 77172->77176 77172->77179 77175->77164 77177 c2acc0 3 API calls 77176->77177 77176->77178 77177->77178 77178->77164 77179->77178 77180 c2acc0 77179->77180 77181 c2acd6 77180->77181 77182 c2aedb 77181->77182 77185 cc9c2c 77181->77185 77182->77178 77184->77179 77186 cc9c3b 77185->77186 77189 cc7b98 77186->77189 77188 cc9c4c 77188->77182 77190 cc7bbc 77189->77190 77191 cc7c7d 77190->77191 77192 cc7d31 77190->77192 77194 cc7cca 77191->77194 77196 c7d2a4 GetFileVersionInfoSizeW GetFileVersionInfoW 77191->77196 77193 cc7d45 KiUserCallbackDispatcher 77192->77193 77192->77194 77193->77194 77194->77188 77196->77194 77021 11be776 CreateToolhelp32Snapshot 77022 11be78b 77021->77022

                                          Executed Functions

                                          Function 011BE776 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 170processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 348 11be776-11be781 CreateToolhelp32Snapshot 349 11be78b-11be80b call 11b388b 348->349 352 11be80d 349->352 353 11be864 349->353 354 11be810 352->354 353->354 355 11be866-11be86a 353->355 356 11be812 354->356 357 11be851-11be857 354->357 358 11be86b-11be886 355->358 356->358 359 11be814-11be817 356->359 357->353 360 11be889-11be8c1 358->360 359->357 361 11be8c3-11be8d7 360->361 362 11be916-11be91b 360->362 361->360 363 11be91d 362->363 364 11be8d8-11be912 363->364 365 11be91f-11be927 363->365 364->362 366 11be929 365->366 367 11be988 365->367 366->367 367->363 368 11be98a-11be990 367->368 370 11be9af-11be9ba 368->370 371 11be992-11be995 368->371 372 11be9bd-11be9cf 370->372 373 11bea22-11bea31 370->373 372->373
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 011BE781
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3403331434.00000000011AE000.00000020.00000001.01000000.00000007.sdmp, Offset: 011AE000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_11ae000_windows10.jbxd
                                          Similarity
                                          • API ID: CreateSnapshotToolhelp32
                                          • String ID: X1lU
                                          • API String ID: 3332741929-3625842214
                                          • Opcode ID: 4cee14eaf3c73f4487fcd0926f3d43ca7a7571200f69fc29232253942c029cf3
                                          • Instruction ID: 3287d364f92997193777f15e17320143f0b38a17970f7d4f521df8c21def94c2
                                          • Opcode Fuzzy Hash: 4cee14eaf3c73f4487fcd0926f3d43ca7a7571200f69fc29232253942c029cf3
                                          • Instruction Fuzzy Hash: 42518831804B52CFCB1ADF38C8814EA7BE1FF8A324764466DC4958B2A2D7309816CF91
                                          Function 00C392FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GlobalAddAtomW.KERNEL32(00000000), ref: 00C39350
                                            • Part of subcall function 00C39070: SetErrorMode.KERNELBASE(00008000), ref: 00C39084
                                            • Part of subcall function 00C39070: SetErrorMode.KERNELBASE(?,00C390D0), ref: 00C390C3
                                            • Part of subcall function 00CCE394: LoadIconW.USER32(00CF4040,MAINICON,?,?,?,00C39410), ref: 00CCE4BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000BED000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_bed000_windows10.jbxd
                                          Similarity
                                          • API ID: ErrorMode$AtomGlobalIconLoad
                                          • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$DelphiRM_GetObjectInstance$USER32
                                          • API String ID: 1953398334-1139167764
                                          • Opcode ID: e9f43a62be39bb10d330f449d2e12b178dad977fcb2d1bbc53f017a888073c5e
                                          • Instruction ID: aa07e2538397a654e1f087b4b9a489e763896b16dea96243e6bbd5d30fc0acdc
                                          • Opcode Fuzzy Hash: e9f43a62be39bb10d330f449d2e12b178dad977fcb2d1bbc53f017a888073c5e
                                          • Instruction Fuzzy Hash: 9C415B74A102459FCB44EFB8ED82BAE77E5EB49304F404435F414EB362EB75AA05CB62
                                          Function 00D1A4FB Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • __RTC_Initialize.LIBCMT ref: 00D1A52C
                                          • __mtterm.LIBCMT ref: 00D1A54F
                                            • Part of subcall function 00D1B309: TlsFree.KERNEL32(00D2C65C,00D1A5B6), ref: 00D1B334
                                          • __setenvp.LIBCMT ref: 00D1A55F
                                          • __cinit.LIBCMT ref: 00D1A56A
                                          • __mtterm.LIBCMT ref: 00D1A5B1
                                          • ___set_flsgetvalue.LIBCMT ref: 00D1A5C2
                                            • Part of subcall function 00D1B2D5: TlsGetValue.KERNEL32(?,00D1B444), ref: 00D1B2DE
                                            • Part of subcall function 00D1B2D5: TlsSetValue.KERNEL32(00000000), ref: 00D1B2FF
                                            • Part of subcall function 00D1D25A: __calloc_impl.LIBCMT ref: 00D1D26B
                                          • __freeptd.LIBCMT ref: 00D1A621
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: Value__mtterm$FreeInitialize___set_flsgetvalue__calloc_impl__cinit__freeptd__setenvp
                                          • String ID:
                                          • API String ID: 3546094511-0
                                          • Opcode ID: 3fc87aaffafcfcacc45c9c48a77a595cf0f13b7e9da429ab85cddee31e7ac9af
                                          • Instruction ID: ef39a130469e4d74959cca38dec86687305e1c41059025fcc011791226878e03
                                          • Opcode Fuzzy Hash: 3fc87aaffafcfcacc45c9c48a77a595cf0f13b7e9da429ab85cddee31e7ac9af
                                          • Instruction Fuzzy Hash: E021B07250E742B9AA2177BDBC02AEE336BEE61764B280427F455C1182EF34C4C28573
                                          Function 00CCD1A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 218 ccd1a8-ccd1d2 219 ccd1d8-ccd206 218->219 220 ccd334-ccd352 218->220 225 ccd20c-ccd216 219->225 226 ccd323-ccd32d 219->226 227 ccd219-ccd225 call c39244 225->227 226->220 230 ccd22b-ccd26d RegOpenKeyExW 227->230 231 ccd316-ccd31d 227->231 230->231 233 ccd273-ccd2a7 230->233 231->226 231->227 235 ccd2f8-ccd30e 233->235 236 ccd2a9-ccd2e0 233->236 236->235 240 ccd2e2-ccd2ee 236->240 240->235
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(80000002,00000000), ref: 00CCD266
                                          Strings
                                          • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00CCD250
                                          • layout text, xrefs: 00CCD297
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000BED000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_bed000_windows10.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                          • API String ID: 71445658-2652665750
                                          • Opcode ID: 54526a516c18e6d90334a15691a67e90659da57f2a845e609b1f6da4a5370a30
                                          • Instruction ID: 13ad94d1a846c0e0d09a4832e1898112a856c24ad8cfd25be718576e980f52b5
                                          • Opcode Fuzzy Hash: 54526a516c18e6d90334a15691a67e90659da57f2a845e609b1f6da4a5370a30
                                          • Instruction Fuzzy Hash: 0F413875A00248AFDB11DF98CA81FAEB7F9EB09700F5440A9E905E7251E770AF44CB62
                                          Function 00C39070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 241 c39070-c3907d 242 c390d0-c390d2 241->242 243 c3907f-c390a1 SetErrorMode 241->243 244 c390a3-c390ad 243->244 245 c390b2-c390c8 SetErrorMode 243->245 244->245
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008000), ref: 00C39084
                                          • SetErrorMode.KERNELBASE(?,00C390D0), ref: 00C390C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000BED000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_bed000_windows10.jbxd
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID: imm32.dll
                                          • API String ID: 2340568224-1815517138
                                          • Opcode ID: 33e502b0de6f9931a7ccedf3544ef1897f010ae99725b58abe00f91d6386e2b5
                                          • Instruction ID: 9be208209bfc6ca1f364c611d28918c9ecf3489f290d2845b447aaafdb61ad3f
                                          • Opcode Fuzzy Hash: 33e502b0de6f9931a7ccedf3544ef1897f010ae99725b58abe00f91d6386e2b5
                                          • Instruction Fuzzy Hash: F6F02772518304AFDB19EB69AE02B297BE8D74A710F9180B5F408835A0D6B99940CB21
                                          Function 00D19568 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 308 d19568-d19826 310 d19835-d19838 call d1bd76 308->310 312 d1983d-d19840 310->312 313 d19842-d19843 312->313 314 d19828-d19833 call d1be4f 312->314 314->310 317 d19844-d19850 314->317 318 d19852-d1986a call d197b4 call d1bd10 317->318 319 d1986b-d1988f call d19801 call d1be77 317->319 318->319 328 d19898-d1989e 319->328 329 d19891-d19894 328->329 330 d198a0-d198a3 328->330 331 d198a7-d198a8 329->331 332 d19896-d19897 329->332 330->331 333 d198a5 330->333 332->328 333->331
                                          APIs
                                          • _malloc.LIBCMT ref: 00D19838
                                            • Part of subcall function 00D1BD76: __FF_MSGBANNER.LIBCMT ref: 00D1BD99
                                            • Part of subcall function 00D1BD76: __NMSG_WRITE.LIBCMT ref: 00D1BDA0
                                            • Part of subcall function 00D1BD76: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00D1BDED
                                          • std::bad_alloc::bad_alloc.LIBCMT ref: 00D1985B
                                            • Part of subcall function 00D197B4: std::exception::exception.LIBCMT ref: 00D197C0
                                          • std::bad_exception::bad_exception.LIBCMT ref: 00D1986F
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                          • String ID:
                                          • API String ID: 832318072-0
                                          • Opcode ID: 4818964ce87021f06934545cc9fb3979abc8a5d6bf965a72c09ee37778d6033b
                                          • Instruction ID: e8309c1550dee0d191eb37a109a91b855e46833b7452ba7772ba93d296e2cf64
                                          • Opcode Fuzzy Hash: 4818964ce87021f06934545cc9fb3979abc8a5d6bf965a72c09ee37778d6033b
                                          • Instruction Fuzzy Hash: 7201FC31504209BA8F14BB61F8359EAB7A8DF92768B188075F84687191EF71DDC1C6B1
                                          Function 00CCE394 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 375 cce394-cce3a1 376 cce3ab-cce3c1 375->376 377 cce3a3 375->377 379 cce3d8-cce3e2 376->379 380 cce3c3-cce3d2 376->380 377->376 381 cce3e4-cce3ec 379->381 382 cce3f2-cce3fc 379->382 380->379 381->382 384 cce40c-cce516 call c0a890 call c13ea0 LoadIconW call c14338 382->384 385 cce3fe-cce406 382->385 397 cce518-cce51b 384->397 398 cce526-cce537 384->398 385->384 397->398 400 cce53e-cce56c call cc3c28 398->400 401 cce539 398->401 406 cce571-cce586 400->406 401->400 407 cce58f-cce5db call cd1304 call cd1f70 406->407 408 cce588-cce58a call cce7d8 406->408 414 cce5ec-cce5f3 407->414 415 cce5dd-cce5e9 407->415 408->407 415->414
                                          APIs
                                          • LoadIconW.USER32(00CF4040,MAINICON,?,?,?,00C39410), ref: 00CCE4BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000BED000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_bed000_windows10.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: MAINICON
                                          • API String ID: 2457776203-2283262055
                                          • Opcode ID: c00751fd92bf931e524e1518e772bec981c08aecbc481e8b8bffe85fc0870c1f
                                          • Instruction ID: 430859f5f765c722befca51ad6f508b35d7cad5fbe6e16d74b3d71f09efc73c7
                                          • Opcode Fuzzy Hash: c00751fd92bf931e524e1518e772bec981c08aecbc481e8b8bffe85fc0870c1f
                                          • Instruction Fuzzy Hash: 23612D706043809FDB50EF68D985B897BE5AF06304F4940B9EC48CF357DB759A88CB61
                                          Function 00A3AF3C Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 417 a3af3c-a3af87 GetFileVersionInfoSizeW 421 a3af89-a3afba GetFileVersionInfoW 417->421 422 a3affc-a3b011 417->422 426 a3afdf-a3aff4 421->426 427 a3afbc-a3afd4 421->427 427->426 430 a3afd6-a3afdc 427->430 430->426
                                          APIs
                                          • GetFileVersionInfoSizeW.KERNELBASE(00000000), ref: 00A3AF7E
                                          • GetFileVersionInfoW.KERNELBASE(00000000), ref: 00A3AFB3
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000A2B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A2B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_a2b000_windows10.jbxd
                                          Similarity
                                          • API ID: FileInfoVersion$Size
                                          • String ID:
                                          • API String ID: 2104008232-0
                                          • Opcode ID: 402f1889bdc4b2e12c4c4e42360ec3aad1ab81b96322b2a3c91f07f6f96eb833
                                          • Instruction ID: 66ab8f647291f0eb1e8918be95150cb61309198495681c5c615a2c85f230a74f
                                          • Opcode Fuzzy Hash: 402f1889bdc4b2e12c4c4e42360ec3aad1ab81b96322b2a3c91f07f6f96eb833
                                          • Instruction Fuzzy Hash: 18214CB5A00209BFDB15EFA8DE928AFB7FCFB49700B514871B510E3651EB349E40DA21
                                          Function 00CC7B98 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 431 cc7b98-cc7bba 432 cc7c2c-cc7c34 431->432 433 cc7bbc-cc7bc9 call cccee4 431->433 435 cc7c3d-cc7c41 432->435 436 cc7c36-cc7c38 call cb96d4 432->436 433->432 441 cc7bcb-cc7bcf 433->441 439 cc7c4d 435->439 440 cc7c43-cc7c45 435->440 436->435 442 cc7c4f-cc7c57 439->442 440->442 443 cc7c47-cc7c4b 440->443 444 cc7bd1-cc7be3 call ccced0 441->444 445 cc7c59-cc7c5b 442->445 446 cc7c62-cc7c64 442->446 443->439 443->442 454 cc7be5-cc7bf3 call ccced0 444->454 455 cc7c26-cc7c2a 444->455 445->446 448 cc7c6a-cc7c6e 446->448 449 cc7d31-cc7d3a call c32cf8 446->449 452 cc7c7d-cc7c87 448->452 453 cc7c70-cc7c77 448->453 461 cc7d3c-cc7d46 call c32928 KiUserCallbackDispatcher 449->461 462 cc7d4b-cc7d52 449->462 457 cc7c89-cc7c90 452->457 458 cc7c92-cc7c96 452->458 453->449 453->452 454->455 472 cc7bf5-cc7c21 454->472 455->432 455->444 457->458 460 cc7c98-cc7ca1 call c32cf8 457->460 459 cc7d0c-cc7d13 458->459 458->460 459->462 469 cc7d15-cc7d1e call c32cf8 459->469 460->462 476 cc7ca7-cc7cc3 call c32928 460->476 461->462 467 cc7d5d-cc7d6b call cc7ad0 462->467 468 cc7d54-cc7d58 call cc95c0 462->468 479 cc7d6d-cc7d71 467->479 480 cc7db2-cc7dc7 467->480 468->467 469->462 482 cc7d20-cc7d2f call c32928 469->482 472->455 497 cc7cfa-cc7d0a call c32928 call cb96d4 476->497 498 cc7cc5-cc7ccc call c7d2a4 476->498 479->480 483 cc7d73-cc7d77 479->483 482->462 483->480 487 cc7d79-cc7dad call c32928 call c2ab94 * 2 483->487 487->480 497->462 507 cc7cce-cc7cd6 498->507 508 cc7ce1-cc7cf4 call c32928 498->508 507->508 510 cc7cd8-cc7cdf 507->510 508->497 510->497 510->508
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00CC7DC8), ref: 00CC7D46
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000BED000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_bed000_windows10.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: bc1dd123e0fea2b601070974b22bc1fbb4645fd16c27d7930af599d4652600da
                                          • Instruction ID: 7722a9aa038865051a19f1394e0cc15526c3e7507357c11c0a69cf095ccee84c
                                          • Opcode Fuzzy Hash: bc1dd123e0fea2b601070974b22bc1fbb4645fd16c27d7930af599d4652600da
                                          • Instruction Fuzzy Hash: 48518E306083455BDB21AF38D986BAA3695EF05300F0856BDFC569B297CA78CE49DB50
                                          Function 00CEA114 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 514 cea114-cea121 515 cea3be-cea3c4 514->515 516 cea127-cea1a6 514->516 521 cea1a8-cea1ad GetNativeSystemInfo 516->521 522 cea1b2-cea1d1 516->522 521->522 523 cea1e5-cea232 522->523 524 cea1d3-cea1da 522->524 526 cea237-cea24e 523->526 525 cea1dc-cea1e3 524->525 524->526 525->523 525->526 529 cea33d-cea345 526->529 530 cea254-cea255 526->530 532 cea34e-cea35d 529->532 533 cea347 529->533 530->515 531 cea25b-cea263 530->531 534 cea276-cea27e 531->534 535 cea265 531->535 532->515 536 cea35f-cea36e 533->536 537 cea349-cea34a 533->537 540 cea294-cea2a3 534->540 541 cea280-cea28f 534->541 538 cea2a8-cea2b0 535->538 539 cea267-cea268 535->539 536->515 542 cea34c 537->542 543 cea370-cea378 537->543 550 cea2c6-cea2d5 538->550 551 cea2b2-cea2c1 538->551 547 cea2da-cea2e2 539->547 548 cea26a-cea26b 539->548 540->515 541->515 542->515 545 cea37a-cea380 543->545 546 cea393-cea39c 543->546 545->546 552 cea382-cea391 545->552 563 cea39e-cea3ad 546->563 564 cea3af-cea3b4 546->564 553 cea2f8-cea307 547->553 554 cea2e4-cea2f3 547->554 555 cea30c-cea313 548->555 556 cea271 548->556 550->515 551->515 552->515 553->515 554->515 568 cea329-cea338 555->568 569 cea315-cea324 555->569 556->515 563->515 564->515 568->515 569->515
                                          APIs
                                          • GetNativeSystemInfo.KERNELBASE(?), ref: 00CEA1AD
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000CEA000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CEA000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_cea000_windows10.jbxd
                                          Similarity
                                          • API ID: InfoNativeSystem
                                          • String ID:
                                          • API String ID: 1721193555-0
                                          • Opcode ID: 45b33a135b9e1827a1f5956b0c377c008ee3e88edbe7ae465ae861eafafcda2a
                                          • Instruction ID: 76d563eaf9206df7b20bc3932cdabdbb5dc7113ddc729477f37065ab3c5b9462
                                          • Opcode Fuzzy Hash: 45b33a135b9e1827a1f5956b0c377c008ee3e88edbe7ae465ae861eafafcda2a
                                          • Instruction Fuzzy Hash: F7613E702082C49FCB54DB2ADA417BE77F1BB84308F60482AE1558B275DB75EE89CB43
                                          Function 00CCD5D8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 573 ccd5d8-ccd5f0 574 ccd601-ccd616 573->574 575 ccd5f2-ccd5fe 573->575 576 ccd618-ccd61f call cd0d6c 574->576 577 ccd624-ccd639 574->577 575->574 576->577 580 ccd63b-ccd651 call c0acf0 577->580 581 ccd653-ccd662 call c0acf0 577->581 587 ccd667-ccd688 SystemParametersInfoW 580->587 581->587 589 ccd68a-ccd6ee call c0acf0 * 4 587->589 590 ccd6f0-ccd737 call c0ae28 call c0acf0 * 3 587->590 611 ccd73c-ccd780 call c0aa7c * 3 589->611 590->611 620 ccd790 611->620 621 ccd782-ccd78b call cd0d6c 611->621 621->620
                                          APIs
                                          • SystemParametersInfoW.USER32(00000029,00000000,?,00000000,?,00000000,00CBF730,?,00CCCC47,00000000,00000000,00CC783C,6E6F4646,?,?,00000000), ref: 00CCD681
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000BED000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_bed000_windows10.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem
                                          • String ID:
                                          • API String ID: 3098949447-0
                                          • Opcode ID: b165dc168321ecb33bd77216a96fe2d374144222bf93b05fb6db6a82794e8295
                                          • Instruction ID: 2688eab8509ca6489dada56eb08b7d48f6626b0d70665e16cc778fd378ff5884
                                          • Opcode Fuzzy Hash: b165dc168321ecb33bd77216a96fe2d374144222bf93b05fb6db6a82794e8295
                                          • Instruction Fuzzy Hash: 85415E316002149BEB50FB78DD82B9A33E9AB09700F544471B90CDB29BDE359D45DB66
                                          Function 00D0B5B0 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 623 d0b5b0-d0b639 626 d0b665-d0b66b 623->626 627 d0b63b 623->627 628 d0b642-d0b664 WriteProcessMemory 627->628 629 d0b63d-d0b640 627->629 629->626 629->628
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00D0B655
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D0B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D0B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d0b000_windows10.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: d4bad12da2fdd539c0c8a4a10605c6f181b2f49d6bab8bfff8aac16ca0e965f8
                                          • Instruction ID: 6f5043a4e469b077a9a36ed40660820a73f4e5b7f82f754f94eb585e6085d7d7
                                          • Opcode Fuzzy Hash: d4bad12da2fdd539c0c8a4a10605c6f181b2f49d6bab8bfff8aac16ca0e965f8
                                          • Instruction Fuzzy Hash: 1D11AF2024860A1AEB1989BDCC12F6E7BE6CFD2330F49877DB5168B5D4DA30840547A6
                                          Function 00D0B610 Relevance: 1.5, APIs: 1, Instructions: 44injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00D0B655
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D0B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D0B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d0b000_windows10.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 5429865e6951855d6711af4d11da7e6a40cb0d06f152d3c263eb90cf91d7c082
                                          • Instruction ID: 85dcad81bc70f7b6590428bf9c8504dc8af0bcf9be5382a41d7f7741c6310594
                                          • Opcode Fuzzy Hash: 5429865e6951855d6711af4d11da7e6a40cb0d06f152d3c263eb90cf91d7c082
                                          • Instruction Fuzzy Hash: 6DF02B3174410D26DB1488BC9C12BBDB79ACBD2730F1943AAB919CA2D4E57148054291
                                          Function 00CCCFFC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadCursorW.USER32(00000000,00000000,?,?,?,00CBF730,00CCCB5F,?,?,00000000,?,00C393F0), ref: 00CCD036
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000BED000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_bed000_windows10.jbxd
                                          Similarity
                                          • API ID: CursorLoad
                                          • String ID:
                                          • API String ID: 3238433803-0
                                          • Opcode ID: 8128491b500596d459e36f74daf85e5afc08def0d265430a6cf83859265268bc
                                          • Instruction ID: ffaa010e7a3827b5705f863716a6d648ae49a4e0850d9105d30c94e4d482fd76
                                          • Opcode Fuzzy Hash: 8128491b500596d459e36f74daf85e5afc08def0d265430a6cf83859265268bc
                                          • Instruction Fuzzy Hash: 3AF0A0526456041B9A605A3D9CC0F7E7288CB86330F21033AFA7BC72D1CA251C0656A1
                                          Function 00C294B0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00C294EB
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000BED000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_bed000_windows10.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                          • Instruction ID: e0bbe715bca3811110881742a92ef003db1fcb23f4917bcbe1fd8e336695c67c
                                          • Opcode Fuzzy Hash: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                          • Instruction Fuzzy Hash: D4F0DA762047119FC310DF5CC88494BB7E9EF89259F044A59F986DB351C771E814CB92
                                          Function 00D19556 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • _malloc.LIBCMT ref: 00D19838
                                            • Part of subcall function 00D1BD76: __FF_MSGBANNER.LIBCMT ref: 00D1BD99
                                            • Part of subcall function 00D1BD76: __NMSG_WRITE.LIBCMT ref: 00D1BDA0
                                            • Part of subcall function 00D1BD76: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00D1BDED
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_malloc
                                          • String ID:
                                          • API String ID: 501242067-0
                                          • Opcode ID: 9fddc94e5dbf1e6244022615b92a186c3a5620306a6be185b52e64ba786d58d8
                                          • Instruction ID: 1aa2d230cafdb2e52a59abe85467a315328fb6eb817c21b12e0a8b14e8d5f502
                                          • Opcode Fuzzy Hash: 9fddc94e5dbf1e6244022615b92a186c3a5620306a6be185b52e64ba786d58d8
                                          • Instruction Fuzzy Hash: 5ED05E3144850ABA8A6036BA786A8FD7FAC8E923587244021F80A92192EE50D592D4F2

                                          Non-executed Functions

                                          Function 00D1B65D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 113COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsSetValue.KERNEL32(00000000,?,?,00D1A521), ref: 00D1B720
                                          • __init_pointers.LIBCMT ref: 00D1B72A
                                          • __mtterm.LIBCMT ref: 00D1B7E0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: Value__init_pointers__mtterm
                                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                          • API String ID: 345306816-3819984048
                                          • Opcode ID: 8fc95aa74ac260978f4a2c0668af965b751fb6f0621526e85bc86b0d755ae5eb
                                          • Instruction ID: 71b0d8c2ac892902fb2e0cddd656b4f5feb4b1379ea1fe7ab934763f323f2b4e
                                          • Opcode Fuzzy Hash: 8fc95aa74ac260978f4a2c0668af965b751fb6f0621526e85bc86b0d755ae5eb
                                          • Instruction Fuzzy Hash: A0314830840310BAC7257B79FD46A9B3AB4EF64764B14493FE814D23B2EFB594878A74
                                          Function 00D1ED2A Relevance: 13.8, APIs: 9, Instructions: 346COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000100,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,?,?,?,?), ref: 00D1EDFA
                                          • _malloc.LIBCMT ref: 00D1EE33
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00D1EE66
                                          • _malloc.LIBCMT ref: 00D1EEF5
                                          • __freea.LIBCMT ref: 00D1EF4D
                                          • __freea.LIBCMT ref: 00D1EF56
                                          • _malloc.LIBCMT ref: 00D1F00B
                                          • _memset.LIBCMT ref: 00D1F02D
                                          • __freea.LIBCMT ref: 00D1F078
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: __freea_malloc$ByteCharMultiWide$_memset
                                          • String ID:
                                          • API String ID: 340271106-0
                                          • Opcode ID: d753f7bc65cd15f44f1e78dd376a3d5825cc031e8c32a67742be33f3ba3f823f
                                          • Instruction ID: 3d0aa1d01192a63897606043f7347dde27715c1c5f08944ccc0ea02076805aa6
                                          • Opcode Fuzzy Hash: d753f7bc65cd15f44f1e78dd376a3d5825cc031e8c32a67742be33f3ba3f823f
                                          • Instruction Fuzzy Hash: 94B19A72800119BFDF219FA4EC859EE7BB6EF48314B18452AFD05A6161DB31CD92DBB0
                                          Function 00D21E73 Relevance: 9.2, APIs: 6, Instructions: 177COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _strlen.LIBCMT ref: 00D21EF5
                                          • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,00000000,?,00D1F2FE,?,?,?,?,?,?,?,?), ref: 00D21F35
                                          • _malloc.LIBCMT ref: 00D21F45
                                          • _memset.LIBCMT ref: 00D21F6D
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,?,?,?,?,?,00D1F2FE,?), ref: 00D21F84
                                          • __freea.LIBCMT ref: 00D2200C
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$__freea_malloc_memset_strlen
                                          • String ID:
                                          • API String ID: 3923921168-0
                                          • Opcode ID: 50f733376d1d3de6c816138f038dbbfbf38206902c10f4bfe7b80018f8c04914
                                          • Instruction ID: 0d93ebe917ddf31efaacf33009a4ee1138ed8b86494e6f5222be3fb5ffd4de55
                                          • Opcode Fuzzy Hash: 50f733376d1d3de6c816138f038dbbfbf38206902c10f4bfe7b80018f8c04914
                                          • Instruction Fuzzy Hash: 7E517032D00229BECF219FA5ED45CEFBBB9EFA9754F244125F528A6150D7318941CB70
                                          Function 00D1A86A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: String___crt$Type_memset
                                          • String ID:
                                          • API String ID: 1957702402-3916222277
                                          • Opcode ID: 589b5857ee829584291f08bb03850fd78d17bad1b012feffb2e6cbf33b835490
                                          • Instruction ID: 0fb3f4f5f53f240f7692f69e68a1025b626900d952d1c380e5bcfadc185f50ae
                                          • Opcode Fuzzy Hash: 589b5857ee829584291f08bb03850fd78d17bad1b012feffb2e6cbf33b835490
                                          • Instruction Fuzzy Hash: 844114B010075C6EDB218B28AC95BFBBBE9DB05304F5844E9E9C686183D5719EC58F31
                                          Function 00D24660 Relevance: 7.8, APIs: 5, Instructions: 263COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _ValidateScopeTableHandlers.LIBCMT ref: 00D24761
                                          • __FindPESection.LIBCMT ref: 00D2477B
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: FindHandlersScopeSectionTableValidate
                                          • String ID:
                                          • API String ID: 876702719-0
                                          • Opcode ID: 0cbe388736d6f0ccb7937470c5397cce7aa46830ec25f314f77dc73cdd388001
                                          • Instruction ID: 01c817189890e26219af11db758b4a4c24e9c0afb80d8fe8d803e1b0a544655d
                                          • Opcode Fuzzy Hash: 0cbe388736d6f0ccb7937470c5397cce7aa46830ec25f314f77dc73cdd388001
                                          • Instruction Fuzzy Hash: C191B472A006288BCB25CB58F84076EB7B5EBA5718F1A4539EC55D73A1D731EC41CBB0
                                          Function 00D1F114 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00D1F2FE,?,?,?), ref: 00D1F1BA
                                          • _malloc.LIBCMT ref: 00D1F1EF
                                            • Part of subcall function 00D21E73: _strlen.LIBCMT ref: 00D21EF5
                                            • Part of subcall function 00D21E73: _memset.LIBCMT ref: 00D21F6D
                                            • Part of subcall function 00D21E73: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,?,?,?,?,?,00D1F2FE,?), ref: 00D21F84
                                          • _memset.LIBCMT ref: 00D1F20F
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00D1F224
                                          • __freea.LIBCMT ref: 00D1F23C
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$_memset$__freea_malloc_strlen
                                          • String ID:
                                          • API String ID: 574822426-0
                                          • Opcode ID: 1d21aa92e8807298e8b34bb3410a447d54ebfdfdec936124114544a18f71af25
                                          • Instruction ID: 9bc884edaaecd622501f18fdce788f562963a8d716b87d3088d6ea5714760d40
                                          • Opcode Fuzzy Hash: 1d21aa92e8807298e8b34bb3410a447d54ebfdfdec936124114544a18f71af25
                                          • Instruction Fuzzy Hash: EA518D7650021AFFCF209FA4EC819EA3BA9EB15354B18453AF914D6260DB30DDD18BB0
                                          Function 00D23BA9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CreateFrameInfo.LIBCMT ref: 00D23BD1
                                            • Part of subcall function 00D234C1: __getptd.LIBCMT ref: 00D234CF
                                            • Part of subcall function 00D234C1: __getptd.LIBCMT ref: 00D234DD
                                          • __getptd.LIBCMT ref: 00D23BDB
                                            • Part of subcall function 00D1B4A6: __amsg_exit.LIBCMT ref: 00D1B4B6
                                          • __getptd.LIBCMT ref: 00D23BE9
                                          • __getptd.LIBCMT ref: 00D23BF7
                                          • __getptd.LIBCMT ref: 00D23C02
                                            • Part of subcall function 00D23566: __CallSettingFrame@12.LIBCMT ref: 00D235B2
                                            • Part of subcall function 00D23CCF: __getptd.LIBCMT ref: 00D23CDE
                                            • Part of subcall function 00D23CCF: __getptd.LIBCMT ref: 00D23CEC
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit
                                          • String ID:
                                          • API String ID: 3174811152-0
                                          • Opcode ID: 752ca69c7f2fe74e55275a97e0819c4f5c611b60c0bd4eab0a27b0365b19e1d4
                                          • Instruction ID: f8a68f78e25594eb4f29e5a0d48bf8865da7e5c7dd79b1a3deb3a690cabd5f23
                                          • Opcode Fuzzy Hash: 752ca69c7f2fe74e55275a97e0819c4f5c611b60c0bd4eab0a27b0365b19e1d4
                                          • Instruction Fuzzy Hash: BF11D771C10209EFDB00EFA4E985AED7BB4FF44328F10846AF814A7252DB389A559F70
                                          Function 00D1DB21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___initmbctable.LIBCMT ref: 00D1DB36
                                            • Part of subcall function 00D1AE9C: __setmbcp.LIBCMT ref: 00D1AEA7
                                          • _parse_cmdline.LIBCMT ref: 00D1DB78
                                          • _parse_cmdline.LIBCMT ref: 00D1DBB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: _parse_cmdline$___initmbctable__setmbcp
                                          • String ID: C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                          • API String ID: 1290970244-3051256841
                                          • Opcode ID: d911334f8e25073e39ab083d704e35988c13a1eae44c91f947d0e25ee35014e2
                                          • Instruction ID: e60695d0e8d97537ea855ffe4884f986e19f2a79314b6234a563f0777ca87270
                                          • Opcode Fuzzy Hash: d911334f8e25073e39ab083d704e35988c13a1eae44c91f947d0e25ee35014e2
                                          • Instruction Fuzzy Hash: 8E21BB71904258BBCF10EBA8FD80CDF7BB9EA507287250575F515E7241DB305A86CBB0
                                          Function 00A18494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00A184C3
                                          • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,00A18540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00A184F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000A11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A11000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_a11000_windows10.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InformationLogicalProcessor
                                          • String ID: GetLogicalProcessorInformation$kernel32.dll
                                          • API String ID: 1773637529-812649623
                                          • Opcode ID: 7c9678feb9aead9777d464513eebbac83c0e05492725d884998a5ba24d76e31e
                                          • Instruction ID: c27307b6fc5efc3e1aad40fbfce1fe0798ac26243df81e67db87ca8bff252a09
                                          • Opcode Fuzzy Hash: 7c9678feb9aead9777d464513eebbac83c0e05492725d884998a5ba24d76e31e
                                          • Instruction Fuzzy Hash: CC11B671D44208BEEB10EBA4DE42BDDB7EAEF44B24F244465F404D6181EE399AC0C615
                                          Function 00A18492 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00A184C3
                                          • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,00A18540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00A184F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000A11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A11000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_a11000_windows10.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InformationLogicalProcessor
                                          • String ID: GetLogicalProcessorInformation$kernel32.dll
                                          • API String ID: 1773637529-812649623
                                          • Opcode ID: b34dfa0b2c24874b61168997fb3448465742ba0e5d51c9ff1d89c411628887eb
                                          • Instruction ID: 5c4216d8fb84cb867e9c198d1db19de89ad9a4b658b7c3c6bc93dc7b3abb7a3a
                                          • Opcode Fuzzy Hash: b34dfa0b2c24874b61168997fb3448465742ba0e5d51c9ff1d89c411628887eb
                                          • Instruction Fuzzy Hash: 5C0152B1E44208BEEB10EBA4DE82AEDB7EEEF04B24F144565F404D6181EE79DAC4C615
                                          Function 00A1C860 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetThreadUILanguage.KERNEL32(?,00000000), ref: 00A1C871
                                          • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 00A1C8CF
                                          • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00A1C92C
                                          • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00A1C95F
                                            • Part of subcall function 00A1C81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00A1C8DD), ref: 00A1C833
                                            • Part of subcall function 00A1C81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00A1C8DD), ref: 00A1C850
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3317317443.0000000000A11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A11000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_a11000_windows10.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Thread$LanguagesPreferred$Language
                                          • String ID:
                                          • API String ID: 2255706666-0
                                          • Opcode ID: e960e23e4332c6f6a1f90701e95f2cd0a77ed6fd1a0c2bf0fa90ee4fcda38473
                                          • Instruction ID: e3e14a223d28ffebc9fe778ae86874af878920efe4b8b543345034639fe98cd9
                                          • Opcode Fuzzy Hash: e960e23e4332c6f6a1f90701e95f2cd0a77ed6fd1a0c2bf0fa90ee4fcda38473
                                          • Instruction Fuzzy Hash: 52313A70E4021E9BDB10DFE8C885BEEB7B9FF04320F004165E565E7291DB749A85CB91
                                          Function 00D1B1DF Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsGetValue.KERNEL32(00000000,?,00D1B258,00000000,00D222DC,00D2F6D0,00000000,00000314,?,00D1FE01,00D2F6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00D1B1F1
                                          • TlsGetValue.KERNEL32(00D2C658,?,00D1B258,00000000,00D222DC,00D2F6D0,00000000,00000314,?,00D1FE01,00D2F6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00D1B208
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: Value
                                          • String ID: EncodePointer$KERNEL32.DLL
                                          • API String ID: 3702945584-3682587211
                                          • Opcode ID: eb9959206154c2f03e7d63c1ee4b8e1bd4e627b7dfa0dda8ad9fcb0b37b62395
                                          • Instruction ID: dc099fa2e16c27547409b05e729d9502db2505217081de762b880fbd34c7de1a
                                          • Opcode Fuzzy Hash: eb9959206154c2f03e7d63c1ee4b8e1bd4e627b7dfa0dda8ad9fcb0b37b62395
                                          • Instruction Fuzzy Hash: 3D01B130540351BA97216779EC04EDE3F989F113B47185122F818DB662DF71DD868AF4
                                          Function 00D1B25A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsGetValue.KERNEL32(00000000,?,00D1B2F5), ref: 00D1B26C
                                          • TlsGetValue.KERNEL32(00D2C658,?,00D1B2F5), ref: 00D1B283
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: Value
                                          • String ID: DecodePointer$KERNEL32.DLL
                                          • API String ID: 3702945584-629428536
                                          • Opcode ID: 5596d801c82f29aa158d2f3c5763025ea0abee5d1b083646d5d6c4c9d90b8f93
                                          • Instruction ID: 37abbc8f19ae9f67ae92e67e79bb4cd6d75401cd18c0435aaf2fe6a7092df10c
                                          • Opcode Fuzzy Hash: 5596d801c82f29aa158d2f3c5763025ea0abee5d1b083646d5d6c4c9d90b8f93
                                          • Instruction Fuzzy Hash: 0FF03C30900626BA9B216B65FD41AEE3B999E153B17185122FC18D7261DF30DD868AF8
                                          Function 00D2393A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: CallFrame@12Setting__getptd
                                          • String ID: j
                                          • API String ID: 3454690891-2137352139
                                          • Opcode ID: 1370c4e7aad1610067715afaa6cf2abdfdad3d5dbfab7d78be780dfe0cfbe6cb
                                          • Instruction ID: f9ef53125ab8053cc1c06697028655afe183def94503e01047f16fb5b948c57b
                                          • Opcode Fuzzy Hash: 1370c4e7aad1610067715afaa6cf2abdfdad3d5dbfab7d78be780dfe0cfbe6cb
                                          • Instruction Fuzzy Hash: D111A071905160DFCB11DF68E44539CBB70BF12718F18818AD8946F183C3B99A91CFA1
                                          Function 00D23F56 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___BuildCatchObject.LIBCMT ref: 00D23F69
                                            • Part of subcall function 00D23EC4: ___BuildCatchObjectHelper.LIBCMT ref: 00D23EFA
                                          • _UnwindNestedFrames.LIBCMT ref: 00D23F80
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                          • String ID: csm
                                          • API String ID: 3487967840-1018135373
                                          • Opcode ID: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                          • Instruction ID: 9994adbe97019a1a761a0b6c3e58895d76f9942459ddb925bcc4b031ac770cbf
                                          • Opcode Fuzzy Hash: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                          • Instruction Fuzzy Hash: F6014631400129BBDF126F50ED41EAA7F7AEF28358F048010FD5824161D73AEAB2EBB0
                                          Function 00D23CCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 00D23CDE
                                            • Part of subcall function 00D1B4A6: __amsg_exit.LIBCMT ref: 00D1B4B6
                                          • __getptd.LIBCMT ref: 00D23CEC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.3400460863.0000000000D19000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D19000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_d19000_windows10.jbxd
                                          Similarity
                                          • API ID: __getptd$__amsg_exit
                                          • String ID: csm
                                          • API String ID: 1969926928-1018135373
                                          • Opcode ID: 26a396b7f8d6ad0d22a1f8c91d29c0213ce2de7ad14ed7ed1dde7fea289fa1f0
                                          • Instruction ID: 8878e31e8fc9e9f99b1b364a8b71bbfc295917655e1a1d78270ca5bed7ea144e
                                          • Opcode Fuzzy Hash: 26a396b7f8d6ad0d22a1f8c91d29c0213ce2de7ad14ed7ed1dde7fea289fa1f0
                                          • Instruction Fuzzy Hash: 44016D349002249BCF349F34E440AACF3B5AF20729F58442EE0415A252CB39ABD0CF71